Privacy Law and Policy Reporter
Japan’s new personal information protection law
David E Case and Yuji Ogiwara WHITE & CASE LLP TOKYO — KANDABASHI LAW OFFICE
On 23 May 2003, five Bills were passed by the Japanese Diet relating to the use of personal information by government and private entities. This article focuses only on the portions of the legislation applicable to the use of personal information by private parties (the Privacy Law).
On 27 March 2001, similar privacy legislation was introduced into the Diet for deliberation, but was finally left to expire in December 2002. The primary stumbling block was widespread criticism that the freedom of journalists and academics would be impaired. For a short while, it looked as if the legislation might fail to pass by the end of the Diet session in mid-June, but a political compromise was reached and the legislation passed at the end of May.
The political compromise between the ruling parties led by the Liberal Democratic Party (LDP) and the Democratic Party of Japan (DPJ) that saved the new Privacy Law should be of interest to privacy and data protection practitioners. First, the LDP and DPJ agreed to enact (or have promulgated by certain ministries) additional data protection laws and regulations targeting specific industries. The selected industries are the medical, financial credit, and telecommunications. The Privacy Law already applies to these industries, but it is presumed by people familiar with the new Privacy Law that the industry specific laws and regulations will provide additional detail as to the how personal information (defined below) must be handled by companies in those industries. Second, the Privacy Law is totally open to revision in three years.
The new Privacy Law establishes fundamental rules and a basic policy regarding the collection and use of personal information by private parties and public entities. A stated goal of the Privacy Law is to protect individual’s rights and welfare. In its first article, the Privacy Law provides that the creation of an advanced information society in which personal information is used by public and private entities is a desired goal. The most striking feature of the Privacy Law is that instead of being a detailed framework of laws and regulations regarding the collection and use of personal information, its provisions are very general. Clearly, the Privacy Law is but a first step in the area of data protection law in Japan. Prior to the passage of the Privacy Law, the collection and use of personal information was minimally regulated.
Features of the Privacy Law
The Privacy Law is intended to set forth fundamental principles for collecting, using, handling and transferring personal information. Article 3 of the Privacy Law provides:
In view of the fact that personal information should be treated with care based on the philosophy of respect for personality of an individual, personal information must be treated appropriately.
Due to concerns by media and academia, deleted from this version of the Bill was a set of basic principles or mores regarding the use of personal information that was contained in the previous version that failed to pass in December 2002. The basic principles in the lapsed Bill stated that personal information be: (i) used to the extent necessary to achieve a specific and appropriate purpose; (ii) acquired through a legal and appropriate manner; (iii) held in correct and current form; (iv) handled with safety and care; and (v) handled in a way that the underlying person shall be involved in the handling process. Instead, these same principles are addressed in the Privacy Law itself. Features of the Privacy Law follow.
The definition of personal information is similar to that of other jurisdictions. ‘personal information’ (Kojin Joho) is information that relates to living individuals and which can be used to identify specific individuals by name, date of birth, or other description (including that which can be easily compared with other information to identify specific individuals). The individual identified by personal information is called a principal or ‘individual’ (Hon-nin). A collection of personal information structurally constituted so as to permit specific personal information to be easily retrieved electronically is called personal data (Kojin Deta).
Covered persons and entities
The Privacy Law is applicable to private parties and both national and local public entities, but under separate regimens. At this point, government entities are only obligated under the Privacy Law to establish basic policies concerning the protection of personal information in the future. As a result, the bulk of the Privacy Law’s articles apply to private parties. A private party (either a person or business) that uses personal information in a business operation is called a ‘business handling personal information’ (Kojin Joho Toriatsukai Jigyo-sha) or ‘business’. The definition of a business is narrower than a ‘controller’ under the EU Privacy Directive. The definition of a business expressly excludes (i) organs of the national government; (ii) local public entities; (iii) certain independent administrative corporations; and (iv) ‘persons designated by government ordinance as being little or no threat to the rights or welfare of individuals from the standpoint of the quantity of personal information handled and the method of use’. Any business that collects, handles or uses personal information but holds fewer than 5000 records falls outside the Law’s coverage. One of the rationales behind this 5000 record exemption was to permit small business owners, delivery truck operators and salespeople and so on that have programmed into their car navigation systems customer names, addresses and telephone information to continue to use such information without having to send to each individual notice of what data has been collected and how it is used.
Collection of personal information
A business may collect any type of personal information, but a business may not collect personal information beyond that which is required to achieve the disclosed purpose of use. Although there was some discussion in Japan regarding the introduction of an opt-in regime for the collection of sensitive information by businesses, the current version of the Privacy Law makes no distinction regarding the type of personal information being handled by a business.
Use of personal information
Controlling personal information
A business must ‘diligently’ maintain personal data in an accurate and up to date form to the extent necessary to achieve its intended purpose of use. At any time, individuals may request that their personal data held by the business be corrected or updated. The procedure by which individuals may request personal data be corrected may be established by the business. As with use of personal information, a business need not correct personal data if the cost or expense is excessive, provided the business implements some safeguard to protect the welfare of the individual. A business must also adopt measures to prevent unauthorised disclosure, loss or destruction of personal information within its control. Measures must include the appropriate supervision of employees who have access to personal information so as to achieve security of the personal information.
Although as a general rule personal information may not be disclosed to third parties without the prior consent of the individual, the Privacy Law contains a series of generous exceptions that permits onward transfer in certain circumstances. There are three exceptions to what might normally be considered a disclosure or transfer of personal information to a third party.
First, a business may delegate some or all of the personal data processing or fulfilment function to a service provider or subcontractor. The service provider or subcontractor may be located inside or outside of Japan and no special conditions or forms of agreement are required by the Privacy Law in either situation. If a business delegates all or a portion of the handling of personal data, it must provide necessary and appropriate supervision of the service provider or subcontractor regarding security. Provided the business meets its obligation to implement appropriate supervision measures of the service provider, the service provider and not the business would be liable in the first instance for any misuse of personal information.
Second, disclosing personal information to a successor in interest as part of a merger is not a disclosure to a third party that requires the prior consent of an individual. The successor would be bound by the declared purpose of use, but could modify it as discussed above.
Third, the sharing of, and joint use of, personal information by businesses in the same field within similar purposes of use is also permitted, provided that notice that personal information will be shared is given to the individual or the Individual has been placed in circum-stances whereby such matters can be easily learned. For example, companies in the financial credit area, travel agencies and so on, can share information in providing their services. The purpose of use notice might be printed on the back of the ticket, for example. Another example is that a department store could send personal information to a shipping company in order for goods purchased by the Individual to be delivered.
The obligations and penalties of the Privacy Law applicable to private parties will be enforced starting from a yet to be determined date set by government ordinance, but in any event no later two years from the Privacy Law’s date of promulgation (kofubi). Depending on the type of business and the industry in which it operates, the Ministry that typically has jurisdiction over the business activities of that business will also oversee compliance with the Privacy Law. No central agency has been appointed, although the Prime Minister may designate a specific minister or a committee of the National Public Safety Commission as the State Minister in Charge with respect to specific matters in handling of personal information by a business.
Finally, the Privacy Law has civil and criminal penalties ranging from admonishment orders, to fines of ¥100,000 to ¥300,000 (US$850 to $2600), and criminal sanctions. Penalties were absent from the previous version of the law and this was a source of much criticism.
Commentary written by Japanese scholars or attorneys regarding interpretation of the current version of the Privacy Law and its provisions will increase over the coming months. What is certain is that as various Ministries draft industry specific legislation and regulations the privacy debate will heat up again in Japan. Details left out of the current Privacy Law will be filled in. Already companies that extensively use or rely upon their customers’ personal information to do business are approaching Ministry officials with their concerns and suggested resolutions. l
David E Case <email@example.com. com> is an Associates, White & Case LLP Tokyo — Kandabashi Law Office. He is Co-Chair of the Privacy Law Task Force of the American Chamber of Commerce Japan. Yuji Ogiwara <yogiwara@tokyo. whitecase.com> is an Associate, White & Case LLP Tokyo — Kandabashi Law Office.
This article previously appeared in the Privacy Laws & Business International Newsletter <www.privacylaws.com> and is republished with their permission.
. Privacy Law at art 1.
. Other data protection laws address electronic processing of personal information by administrative agencies (Law No 95, effective 1 October, 1989); see also Specified Commercial Transaction Law, Law No 57, 1976, art 11 regarding unsolicited email and direct marketing laws and regulations.
. Privavcy Law at art 2(1).
. At art 2(6).
. At art 2(2) and 2(4).
. At art 1. As mentioned above, this article focuses only on those portions applicable to private parties.
. At art 2(3). Under arts 4, 5 and 6, public entities are obligated to draft and execute regulations and ordinances needed to assure the appropriate handling of personal information.
. This 5000 record exemption will be in the form of a Cabinet Order (seirei) but it will only be officially adopted after public notice and comment period is complete.
. Privacy Law at art 15. Article 18(4)(ii) states that a business need not inform the individual of its purpose of use if the business fears that its rights or fair profits will be harmed by such notification or by public announcement of the purpose of use.
. At art 24.
. At art 18(1).
. At art 18(2).
. At art 43.
. At art 16(1).
. For example, information regarding beliefs and religious faith, medical information, welfare payment records, criminal records, race, ethnicity, social status, place of birth or domicile of origin.
. Privacy Law at art 15.
. At art 18.
. At art 27.
. Generally, the Privacy Law exempts a business’s use or disclosure of personal information if pursuant to a law, ordinance or official order, or if necessary for the protection of human life, safety, or property, or if necessary in to improve public hygiene or promote the health of children, provided in both cases only when it is difficult to obtain the consent of the individual. See, for example, art 16(3).
. At art 19.
. At art 25 and 26.
. At art 20.
. At art 21.
. At art 23.
. At art 23(4).
. At art 22.
. At art 36.
. At art 56–59.