Article 13 of the Constitution provides that "the
right to life, liberty, and the
pursuit of happiness shall . . . be the supreme consideration in legilation and
in other governmental affairs." In 1963, the Supreme Court first recognized the
substantial right to privacy under Article 13 of the Constitution. Since then,
the right of privacy has been established under Artcle 13 by the courts'
precedents and has been applied to specific cases through the general provisions
of tort law in the Civil Code. However, until
recently Japan had no statute on privacy protection. For the private sector, the Japanese government
followed a policy of self-regulation, especially regarding electronic commerce.
On May 30, 2003, the Act Concerning the Protection of Personal Information
(the Act), with its general data protection principles, was eventually enacted
after a long controversy in the Diet (the Japanese Parliament). It is
expected to serve as fundamental legislation for protecting individuals both in
the private and public sectors.
The bill was enacted as "The Act Concerning the
Protection of Personal Information" (also called "The Personal
Information Protection Act," or referred to here as "the Act").
The Act establishes the basic ideals and principles that that will serve for future
legislation of on the protection of privacy both in the public and private
sectors Cabinet ministers are in charge of implementing it, and authorized to issue recommendations or orders to
businesses dealing with personal information. Those who refuse to follow
ministers' orders could face up to six months in prison or a fine of not more than
JPY 300,000. The legislation provides that ministers in charge must not
exercise their authority to issue orders to those who provide information to
the media. Some provisions such as the "Basic Ideals" and the
"Duties of the Government and Local Public Entities" will come into
force on the date of promulgation, whereas other provisions such as the
"Duties of an Enterprise That Handles Private Personal Information,"
the "Competent Minister," the "Promotion of the Protection of
Personal Information by a Private Body," "Exemptions," and
"Penal Provisions" will come into force within two years on a date
decided by an Ordinance of the Cabinet Office. Provisions for the basic
principles of personal information protection and national and local
governments' obligations came into force on May 30, 2003.
Four Laws Related to the Protection of Personal Information
On May 23, 2003, the Diet
passed, in addition to the Act itself, another package of four personal information
protection bills that include two laws that cover private businesses,
government organizations and independent administrative agencies. Four
laws related to the protection of personal information were
promulgated on May 30, 2003
as well: 1)
The Act concerning
the Protection of Personal Information
Held by Administrative Organs, which originally governed the use of personal information in computerized files, was completely amended
to govern paper-based data as well as computerized data. The 2003 act sets new criminal provisions for government officials who leak personal
information
without proper justification. 2) The Information Disclosure and Personal Information Protection Council Establishment Act, 3) The Act Concerning the Protection of Personal Information Held by an Independent
Administrative Agency, and 4) The Act concerning the Preparation of Related Laws for the Enforcement of the Act concerning the Protection of Personal Information Held by an Administrative
Organs.
These laws will be enacted by May 30, 2005.
The Cabinet Office announced that each Ministry draws
up guidelines for protecting personal information, corresponding to industrial
claasifications by the fall of 2004. The Ministry of Finance, Wealth and Labor,
and Public Management, Home Affairs, Posts and Telecommunications are planning
to introduce legislation to protect personal information, including individual
credit data, medical data, and data in the field of broadcast by the end of
2004.
In February 1998, the Ministry
of International Trade and Industry (MITI) established a Supervisory Authority
for the Protection of Personal Data to monitor a new system for the granting of
"privacy marks" to businesses committing to the handling of the
personal data in accordance with the MITI guidelines, and to promote awareness
of privacy protection for consumers. The "privacy mark" system is
administered by the Japan Information Processing Development Center (JIPDEC) –
a joint public/private agency promoting e-commerce and designing
regulatory guidelines on the information technology industry. Companies that do not comply with the industry guidelines will be
excluded from relevant industry bodies and not granted the privacy protection
mark. It is assumed that market forces will then penalize them. However, in
addition, the new Supervisory Authority will investigate violations and make suggestions
as necessary to the relevant administrative authorities. An analysis of the marks done for the European Union by four
academic privacy experts found that there were serious shortcomings in the
system. In the first two years of the JIDPEC program, companies seeking
certification were dominated by businesses that handle personal information,
such as marriage bureaus; in total, the JIPDEC awarded about 140 licenses. In May 2000, the JIPDEC agreed with BBBOnline, a division of the
US-based Better Business Bureau, to mutually recognize each other's privacy
protection marks. Because of growing concerns for privacy among the public, the
number of companies holding "privacy marks" has increased. By the end
of May 2004, 790 companies had been awarded privacy marks by JIPDEC.
Article 21
of the 1946 Constitution states, 1) "Freedom
of assembly and association as well as speech, press and all other forms of
expression are guaranteed. 2) No censorship shall be maintained, nor shall the
secrecy of any means of communication be violated." Article 35 states, 1) "The right of all persons to be secure in
their homes, papers and effects against entries, searches and seizures shall
not be impaired except upon warrant issued for adequate cause and particularly
describing the place to be searched and things to be seized. . . . 2) Each
search or seizure shall be made upon separate warrant issued by a competent
judicial officer."
In response
to the Internet Provider Responsibility Law of 2001 (IPRL) that restricts the liability of Specified Electronic
Telecommunications Service Providers when they disclose customers' information, Japanese Internet Service Providers (ISPs)
issued in 2002 draft guidelines for protecting users' online privacy. The
guidelines limit dissemination of private information without specific consent,
allow ISPs to delete user information, and require them to maintain information
posted by users about public figures. The first test case involved Yahoo! Japan. On March
31, 2003, the district court of Tokyo ordered Yahoo! to identify and disclose
information on one of its users, who had posted a defamatory comment about the
plaintiff on Yahoo!'s bulletin board. This case
is the first one that tested how the IPRL has to be interpreted.
The year
2002 also saw the implementation of two new anti-spam laws. The laws allow
Internet users and text-enabled mobile phones to opt-out of spammers' contact
lists, and require that all unsolicited commercial e-mail be clearly
identified. The Public Management Ministry enforces the law, imposing fines of
up to JPY 500,000 (~ USD 4,170) for failure to comply. Another law enforced by MITI is
intended to protect consumers.
Repeat or egregious offenders can be fined up to JPY 3 million (~ USD 25,000)
or two years in prison. Corporate offenders can face up to JPY 300
million (~ USD 2.5 million) fines.
Wiretapping
traditionally has been considered a violation of the Constitution's right of
privacy and has been authorized only a few times. However, in August 1999, the
Diet passed the controversial Communications Interception Law authorizing
wiretapping phone or faxes, and monitoring e-mail, when investigating cases
involving narcotics, gun offenses, gang-related murders and large-scale
smuggling of foreigners. Under the new law, which went into effect in
August 2000, the use of wiretaps is restricted to prosecutors and police
officers at the rank of superintendent and above, and requires police officers
to obtain warrants from district court judges in order to use wiretaps. The
warrants are good for 10 days and can only be extended for a total of 30 days.
Further, the presence of a third, independent party, such as an employee of
Nippon Telegraph and Telephone Company, is required during monitoring. Finally,
police and prosecutors must in principle notify individuals who have been
monitored within 30 days after the investigation. Strict penalties are possible
for those who abuse the wiretap policy. The National Police Agency (NPA) and Ministry
of Justice (MOJ) recently requested about JPY 170 million (~ USD 1.4 million)
in 2001 for the development of a "temporary mailbox" technology for
intercepting e-mail.
The
Federation of Bar Associations, journalists and trade unions opposed the
wiretap law. Opponents argue that Diet proponents of
wiretapping forced a vote on the bill before the legislatures could host a full
airing of the potential privacy problems it would create. Professor Toshimaru Ogura, of the Japanese Net
Workers against Surveillance Taskforce (NaST) and Toyama University, asserts
the law does not restrict the storage and use of information gathered, possibly
providing the government with a mandate to maintain databases on citizens that can
be shared by other domestic—and possibly foreign—agencies. Further, Professor Ogura argues that the MOJ
officials have a free hand to broadly intercept communications from innocent
people in the process of targeting criminals; for example, the MOJ proposed in
a Diet session that it could tap all of the in/outcoming phone calls of a
shipping company in an effort to capture drug smugglers.
The new law
was applied for the first time in May 2002 to break up a Tokyo drug ring.
Police monitored cell phones and e-mail based on a warrant, and arrested nine
suspects.
Many have
protested the wiretapping law as too large a grant of power, including one
lawmaker who sued alleging the police had illegally tapped his phone. Over 180,000 people have signed a petition for
the repeal of the wiretapping law. The signature-collecting Committee for the
Repeal of the Wiretapping Law submitted the petition to the Diet on May 24,
2000. In August, NTT asked that its employees not be
required to be present when taps are installed, saying it would likely have a
detrimental effect on company performance. Wiretapping is also prohibited under article
104 of the Telecommunications Business Law and article 14 of the Wire
Telecommunications Law.
In June
1997, the Tokyo High Court upheld a lower court's finding that the Kanagawa
Prefectural Police had illegally wiretapped the telephone at the home of a
senior member of the Japanese Communist Party. The court awarded damages of JPY
4 million. Several NTT employees have also been caught
recently selling information about customers. Several companies that provide for pre-paid
cellular phone service announced in May 2000 that, in order to prevent crime,
they would start requiring users to provide identification before using the service.
In a controversial international
development during the summer of 2001, a New Zealand researcher testified
before the European Union that New Zealand was intercepting electronic
transmission from Japanese embassies as part of the Echelon spy network. He claimed that the United States was primarily interested in
information on Japan's economic influence in the South Pacific. A group of Japanese civic groups have requested that their
government lodge a complaint against the US and the four other suspected member
nations of Echelon: New Zealand, Australia, the United Kingdom, and Canada.
The Ministry
of Transportation announced in June 1999 a plan to issue "Smart
Plates" license plates with embedded IC chips. These new licenses could be
issued as early as 2004, and will contain driver and vehicle information
and be used for road tolls and traffic control. Since 1986, the National Police Agency has also
operated a comprehensive video surveillance system called the
"N-system" in at least 540 locations on expressways and major
highways throughout the country, which automatically records the license plate
number of every passing car. Whenever a "wanted" car is detected,
the system immediately issues a notice to police. 11 motorists filed a lawsuit challenging the
system in 1997. The latest model of N-system can also photograph the faces of
drivers.
In response
to rising crime rates, Tokyo police have been operating surveillance cameras on utility poles
and buildings to monitor pedestrians in the several densely populated districts of the city. Lawyers opposing the move assert that this
surveillance is unconstitutional, pointing to a 1969 Supreme Court decision
against a police officer who secretly photographed a student activist in Kyoto. Other areas of the country are following
Tokyo's lead, but many privacy groups, such as NaST and the Consumers Union of
Japan are reporting on video surveillance and
publicizing all new camera installations. Suginami ward, one of
Tokyo's largest wards, enacted an ordinance to limit the rapid increase in the number of security
cameras being set up in public areas following heightened concerns about
privacy in the community.
In August, 2002, it was revealed that the Bureau of
Customs (affiliated agency of the Ministry of Finance) had installed
surveillance cameras at Japan's two international airports. The bureau has
refused to make public their location and number "for security concerns."
Major RFID
manufacturers in Japan include NEC, which recently became the first Japanese
firm to join the EPC Global standards body and Hitachi, which manufactures the 0.3
millimeter square Mu chip. RFID applications are fairly widespread in
Japan. On March 22, 2004, after several months of testing, the East Japan
Railway Co., Ltd began formally offering an RFID-enabled "e-money"
system to customers using its "Suica" card, allowing customers to
shop at 196 convenience stores and restaurants located in 64 stations. For the last two years, RFID tags have quickly become
widespread. The Ministry of
Economy, Trade and Industry (METI) formed an industry consortium aimed at reducing
the cost of RFID tags to JPY 5 (~ USD 0.05) each within two years, in order to
encourage use. While IC
tags have some value for retailers, giving detailed information on goods,
including not only prices but production places and distribution channels,
there are fears that personal information, such as purchase history and
location data, may be disclosed to third parties. Joint guidelines released by Japan's Ministry of
Public Management, Home Affairs, Posts and Telecommunications (MPHPT) and METI
on June 8, 2004 call for consumers to be given options on how they might
interfere with the reading of tags but appear to say nothing about rights to
have the tag removed or destroyed. The guidelines provide that: 1) consumers must be
notified of the presence of RFID tags; 2) consumers have the right to choose
whether they want to use the tags; 3) RFID tag users must provide information about
the public benefits of RFID tags; 4) the Personal Information Protection Act
applies when there is matching between RFID tag-related data and databases; 5)
tag users must restrict their use of personal information gathered through RFID
tags; 6) tag users must ensure the accuracy of the personal information
recorded through RFID tags; 7) appointment of information administrators; 8)
accountability and provision of information to consumers.
Private
surveillance is also on the rise. The Japan Institute of Labor reported that 35
percent of Japanese companies
are monitoring their employees' e-mail and Web use. Companies cited fear of viruses, sexual
harassment, and other concerns as the reasons for surveillance.
Japan is a
member of the Organization for Economic Cooperation and Development (OECD) and
a signatory to the OECD Guidelines on Privacy and Transborder Data Flows. Japan participated
as a non-member observer country in the negotiations on the Council of Europe
Convention on Cybercrime and signed the Convention in November 2001. In April 2004, the Congress ratified the Convention on Cybercrime. In
order to implement the Convention, the government started to amend related acts,
including the Criminal Code and the Code of Criminal Procedure. The Japanese
Bar Association opposes the amended provision, which allows investigating
authorities to preventive seizure without writ from the court.
In March
2000, it was discovered that a research company had secretly conducted genetic
tests on 1,000 blood samples obtained from people who had donated blood to the
Japanese Red Cross Society. The Health and Welfare Ministry launched an
investigation in November 1999 into reports that a dealer was selling private
information on people receiving medical treatment, including their clinical
histories. Several months later, Tohoku University in Sendai and the National
Cardiovascular Center in the Osaka Prefecture city of Suita also disclosed that
they had studied the genes of blood donors without obtaining their consent. A
poll conducted by the Mainichi newspaper suggests that this is standard
practice, finding that 70 percent of medicine faculties in 64 universities
around Japan are conducting gene tests. Health and Welfare Minister Yuya Niwa said that
the ministry is investigating the case and will consider setting up laws
regulating such leakage of patients' medical data.
The Law
Concerning Access to Information Held by Administrative Organs (also called
Freedom of Information Law) was
approved by the Diet in May 1999 and went
into effect in April 2001. The law allows any individual or company to
request government information in electronic or printed form. A nine-person
committee in the Office of the Prime Minster receives
complaints about information that the government refuses to make public and
examines whether the
decisions made by the ministries and agencies were appropriate. Government
officials still have broad discretion to refuse requests but requestors are able to appeal decisions to withhold documents
to one of eight different district courts. . According to the Ministry
of Public Management, Home Affairs, Posts and Telecommunications, 2,937 out of
3,260 cities and prefectural governments have enacted Freedom of Information
Ordinance by July 22, 2003.
In the same
anti-crime package of bills under which the wiretapping law was passed, the Diet also provisionally approved the Basic
Resident Registers Law, granting Tokyo the authority to issue a 11-digit number
to every Japanese citizen and resident alien, and requiring all citizens and
resident aliens to provide basic information – name, date of birth, sex, and
address. The registered data is computerized and connected to the
nationwide Resident Registry Network System (RRNS, also called
"Juki-Net") created by the law. The government planned to expand the
use of the registry code to offer administrative services 'more efficiently'
via this network. The RRNS
was partly launched on August 5, 2002. However, some local governments, such as
the city of Yokohama, the nation's largest municipality, have decided not to
participate in the network, and some local assemblies decided to postpone the
launch of the system. The six
local governments refused to log on to RRNS because of concerns for personal
information security. On July 26,
2002, a group of academics, journalists and Tokyo citizens filed a suit against
the state over the network, alleging that the network system invades the right
of privacy and is unconstitutional. The METI
said it would introduce an electronic information security audit system by
year-end to address public concerns. On August 22, 2002 METI officials set complete
audit guidelines that conform to international rules and entrust independent
auditing companies to inspect whether computer network systems of
municipalities and businesses are sufficiently secure in protecting private
information. On August
25, 2003, all of the prefecture's 34 municipal offices launched full RRNS operations.
The Nagano
Prefecture carried out hacking,
using a computer from outside the local body offices with a LAN connection and
through the Internet, to verify the vulnerability of the RRNS
system between September and November 2003.[64]
Their results found that
access to private information on residents was accessible with local area
network (LAN) ] connections, both from within and outside local body offices.
Part of the tests also reportedly showed that it was possible to falsify
personal data in the network and send it to servers nationwide. The Saga
Prefectural Police arrested a
46-year-old man on suspicion of illegally obtaining a resident registry card of
another man in September 2003. The suspect alleged that he used the card to borrow several hundred
thousand yen from many consumer finance firms. This is the first
arrest made over illegal use of RRNS.
In May 2002, the Defense Agency revealed that more
than 550 municipalities across the nation had provided the Agency with
registered personal data on teenagers that should not have been divulged. The Defense
Agency received information from those municipalities, such as the occupation and
health condition of teenagers' parents which does not appear in the
registration cards that anyone can access pursuant to the Basic Resident Registers Law . Such
cards only contain residents' names, addresses, dates of birth and gender. The
agency has used information to assist the Self-Defense Forces' (SDF) recruitment
activities. The Defense
Agency also revealed the collection activity for SDF had been conducted since
1966.
In June
2002, the Defense Agency revealed that it had been collecting names of people
requesting information via the new law and cross-referencing the list with
private information, such as the political affiliations of the requestor. While it is
as yet unclear whether the list constitutes a clear violation of the law, it
has sparked a huge outcry by the public, including calls for the resignation of
defense officials. On Febrary
12, 2004, the Tokyo District Court
ruled that a list compiled by the Defense Agency on people who sought
information from it violated their privacy, and ordered the government to pay
JPY 100,000 in compensation to a writer who was on the list.
According to
the Cabinet Office's survey on the protection of
personal information, 69 percent of the people in Japan are worried that
their personal information may be leaked from public entities and private
firms, up drastically from 39.8 percent in a previous survey in 1989. The year 2004 saw many
massive data leaks cases. It came to light that personal data of about 4.6
million subscribers to Yahoo! BB (Broad Band Phone Service) Internet access
service was leaked by its employees. The case is unprecedented in Japan in terms
of volume. The
Metropolitan Police Department arrested four persons for allegedly blackmailing
Softbank Corp. – the company that operates Yahoo! BB – as well as an affiliate,
including the company employees, by threatening to leak confidential customer
data they had illegally obtained from those companies. Softbank Corp. allowed
several people to share the same ID and password to access its database. Stolen
information included each subscriber's name, address, phone number,
subscription starting date and e-mail address, but did not include credit card
details. Three of
Yahoo! BB's customers launched a damages suit against the service operator
Softbank Corp. before the Osaka District Court over the massive leak of customer information. The three plaintiffs,
Yahoo! BB's customers, are demanding JPY 100,000 each in compensation.
There were
other similar cases that resulted from failures in proper management of personal data involving such companies as Sanyo
Shinpan Finance Co., one of the major consumer finance firms (up to two million
customers' personal data), consumer
credit company Nihon Shinpan (up to 100,000 customers), Suntry (75,000), major
travel agent Hankyu Express (620,000), DSL service provider ACCA Networks (about one milion), teleshop service JAPANET TAKATA (660,000), and Cosomo
Oil (920,000).
According to the Ministry of
Public Management, 52 cases involving major leaks of personal information were
reported during the past three years. In June 2002, The National Police Agency and the Metropolitan Police
Department
reported in May 2002 that names, addresses and
other personal information of some 50,000 visitors of the Kommy Corp. (a
beauty-treatment service firm)-operated web site, had been leaked. There were other similar cases involving such entities as
YKK Architectural Products Inc., All Nippon Airways World Tours Co. and Nihon
University.
Police authorities also warned that the massive leaks of
personal information resulted from simple errors in Web site design.
