I. Legal Framework
Constitutional privacy framework
Article 13 of the Constitution provides that "the right to life, liberty, and the pursuit of happiness shall . . . be the supreme consideration in legislation and in other governmental affairs." In 1963, the Supreme Court first recognized the substantial right to privacy under Article 13 of the Constitution. Since then, the right of privacy has been established under Article 13 by the courts' precedents and has been applied to specific cases through the general provisions of tort law in the Civil Code. However, until recently, Japan had no statute with respect to the processing of personal data in the private sector, for which the Japanese government followed a policy of self-regulation, especially regarding electronic commerce.1
Statutory rules on privacy
On May 30, 2003, the Act Concerning the Protection of Personal Information (the Act) was eventually enacted after a long controversy in the Diet (the Japanese Parliament).2 The Act is divided into two parts: 1) "Basic ideals and principles" that will serve for future legislation on the protection of privacy, both in the public and private sectors (Chapter 1 to 3), and 2) "General Provisions" on personal information protection in the private sector (Chapter 4 to 6).3 The Act defines that "personal information" as the information that relates to "living individuals," which can be used to identify specific individuals by name, date of birth, or other description (Article 2, Section 1). The "General Provisions" part details how businesses have to handle personal information,4 duties that are derived from the data protection principles of the OECD Privacy Guidelines.5 To promote the self-regulatory system and complaint handling of personal information in the private sector, the Act allows a Minister in charge to approve a "Certified Personal Information Protection Organization," which handles complaint settlement concerning personal information (Articles 37 to 49). Each Minister implements the Act for the area he is in charge of and is authorized to issue recommendations or orders to businesses dealing with personal information.6 Those who refuse to follow ministers' orders could face up to six months in prison or a fine of not more than JPY 300,000 (~USD 2,683). The Act also provides that ministers in charge must not exercise their authority to issue orders to those who provide information to the media. The Act came into full force on April 1, 2005.7
Related laws on protecting personal information
On May 23, 2003, the Diet passed, in addition to the Act itself, another package of four personal information protection bills that include two laws that cover private businesses, government organizations and independent administrative agencies.8 Four laws related to the protection of personal information were promulgated on May 30, 2003 as well: 1) The Act concerning the Protection of Personal Information Held by Administrative Organs, which originally governed the use of personal information in computerized files, was completely amended to govern paper-based data as well as computerized data.9 The 2003 Act sets new criminal provisions for government officials who leak personal information without proper justification;10 2) the Information Disclosure and Personal Information Protection Review Board Establishment Act; 3) the Act concerning the Protection of Personal Information Held by an Independent Administrative Agency; and 4) The Act concerning the Preparation of Related Laws for the Enforcement of the Act concerning the Protection of Personal Information Held by Administrative Organs.
- 1. http://www.kantei.go.jp/foreign/constitution_and_government/the_constitu....
- 2. http://www5.cao.go.jp/seikatsu/kojin/foreign/act.pdf
- 3. The privacy legislation preceding the new 2003 Act was the 1988 Act for the Protection of Computer Processed Personal Data Held by Administrative Organs (the "1988 Act"). It was the first act on privacy protection and governed the use of personal information in computerized files held by government agencies. (The Act for the Protection of Computer Processed Personal Data Held by Administrative Organs, Act No. 95, December 16, 1988 (Kampoo, December 16, 1988)). Additionally, some local governments had enacted similar laws: the Prefecture of Kanagawa had legislation that protects privacy in both the public and private sectors. (Kanagawa Prefecture Ordinance on the Protection of Personal Data, Ordinance No. 6, March 30, 1990.) The 1988 Act was based on the OECD Privacy Guidelines and imposed duties of security, access, and correction. Agencies had to limit their collection to relevant information and publish a public notice listing their file systems. Information collected for one purpose could not be used for a purpose "other than the file holding purpose."
- 4. "Businesses Handling Personal Information" refers to a business that uses personal information databases, etc., for business operations, but excludes "organs of the national government." "Local public entities," "independent administrative corporations, etc." and Persons designated by government ordinance (Article 2).
- 5. http://www5.cao.go.jp/seikatsu/kojin/kaisetsu/index.html
- 6. http://www5.cao.go.jp/seikatsu/kojin/foreign/enforcement-status2005.pdf
- 7. Provisions for the basic principles of personal information protection and national and local governments' obligations and some provisions such as the "Basic Ideals" and the "Duties of the Government and Local Public Entities" came into force on May 30, 2003, whereas other provisions such as the "Duties of an Enterprise that Handles Private Personal Information," the "Competent Minister," the "Promotion of the Protection of Personal Information by a Private Body," "Exemptions," and "Penal Provisions" came into force on April 1, 2005. The subcommittee on privacy protection, the Quality of Life Policy Council reviewed the implementation of the Act Concerning the Protection of Personal since November, 2004, to discuss whether revisions to the Act and its operation are necessary. The subcommittee published its opinion on June 29, 2007, in which it concludes that revisions are not necessary at this time. See "Govt urged to monitor 'overreaction' to info law," Daily Yomiuri, July 1, 2007.
- 8. "Japan Passes Personal Information Protection Bills," Mainichi Daily News, May 23, 2003.
- 9. http://www.soumu.go.jp/english/gyoukan/060516_02.html
- 10. The Act for Protection of Personal Data Held by Administrative Organs of 2003, Articles 53-55.