III. Privacy issues
Guidelines for industry
The Cabinet Office announced that each Ministry is drawing up guidelines for protecting personal information, corresponding to industrial classifications by the fall of 2004. By March 31, 2005, each Ministry had published 35 individual guidelines in 22 industry areas in order to prompt personal information protection in the private sector.1
The Ministry of Finance, Wealth and Labor, and the Ministry of Internal Affairs and Communications (MIC) planned to introduce legislation to protect personal information, including individual credit data, medical data, and data in the field of broadcast by the end of 2004.2 On January 27, 2005, the Cabinet Office announced that the government had enacted new legislation in the medical, financial and telecommunications sectors.3
Privacy mark system
In February 1998, the Ministry of International Trade and Industry (MITI) established a Supervisory Authority for the Protection of Personal Data to monitor a new system for the granting of "privacy marks" to businesses committing to the handling of the personal data in accordance with the MITI guidelines, and to promote awareness of privacy protection for consumers. The "privacy mark" system is administered by the Japan Information Processing Development Center (JIPDEC) ‚Äì a joint public/private agency promoting e-commerce and designing regulatory guidelines on the information technology industry.4
Companies that do not comply with the industry guidelines will be excluded from relevant industry bodies and not granted the privacy protection mark. It is assumed that market forces will then penalize them. However, in addition, the new Supervisory Authority will investigate violations and make suggestions as necessary to the relevant administrative authorities.5 An analysis of the marks done for the European Union by four academic privacy experts found that there were serious shortcomings in the system.6 In the first two years of the JIDPEC program, companies seeking certification were dominated by businesses that handle personal information, such as marriage bureaus; in total, the JIPDEC awarded about 140 licenses.7 In May 2000, the JIPDEC agreed with BBBOnline, a division of the US-based Better Business Bureau, to mutually recognize each other's privacy protection marks. Because of growing concerns for privacy among the public, the number of companies holding "privacy marks" has increased. By June 15 2007, 7,707 companies had been awarded privacy marks by JIPDEC, up from 1,562 companies in 2005.8
Constitutional privacy framwork
Article 21 of the 1946 Constitution states, "1) Freedom of assembly and association as well as speech, press and all other forms of expression are guaranteed. 2) No censorship shall be maintained, nor shall the secrecy of any means of communication be violated." Article 35 states, "1) The right of all persons to be secure in their homes, papers and effects against entries, searches and seizures shall not be impaired except upon warrant issued for adequate cause and particularly describing the place to be searched and things to be seized. . . . 2) Each search or seizure shall be made upon separate warrant issued by a competent judicial officer."9
In response to the Internet Provider Responsibility Law of 2001 (IPRL), which restricts the liability of Specified Electronic Telecommunications Service Providers when they disclose customers' information,10 Japanese Internet Service Providers (ISPs) issued in 2002 the Guidelines for protecting privacy and honor under the IPRL (The Guidelines).11 The guidelines limit dissemination of private information without specific consent, allow ISPs to delete user information, and require them to maintain information posted by users about public figures.12 The first test case involved Yahoo Japan. On March 31, 2003, the district court of Tokyo ordered Yahoo to identify and disclose information on one of its users, who had posted a defamatory comment about the plaintiff on Yahoo's bulletin board.13 In 2007 Japanese ISPs issued new Guidelines for the disclosure of user identity information.14 According to the Guidelines, ISPs generally disclose to law enforcement in cases of defamation, privacy infringement, copyright infringement, trademark infringement, etc. However, in almost all cases, responses to disclosure demands are so difficult and onerous that ISPs require a court order before engaging in the exercise of identification and disclosure.15
Japan has two anti-spam laws. The laws allow Internet users and text-enabled mobile phones to opt out of spammers' contact lists, and require that all unsolicited commercial e-mail be clearly identified. MIC enforces the law, imposing fines of up to JPY 500,000 (~USD 4,170) for failure to comply. Another law enforced by MITI is intended to protect consumers. Repeat or egregious offenders can be fined up to JPY 3 million (~USD 25,000) or two years in prison.16 Corporate offenders can face up to JPY 300 million (~USD 2.5 million) in fines.
Radio Frequency Identification (RFID) Technology
Major RFID manufacturers in Japan include NEC, which recently became the first Japanese firm to join the EPC Global standards body17 and Hitachi, which manufactures the 0.3 millimeter square Mu chip.18 RFID applications are fairly widespread in Japan. On March 22, 2004, after several months of testing, the East Japan Railway Co. Ltd. began formally offering an RFID-enabled "e-money" system to customers using its "Suica" card, allowing customers to shop at 196 convenience stores and restaurants located in 64 stations.19 During the last two years, RFID tags have quickly become widespread. The Ministry of Economy, Trade and Industry (METI) formed an industry consortium aimed at reducing the cost of RFID tags to JPY 5 (~USD 0.05) each within two years, in order to encourage use.20 While IC tags have some value for retailers, giving detailed information on goods, including not only prices but production places and distribution channels, there are fears that personal information, such as purchase history and location data, may be disclosed to third parties.21 Joint guidelines released by MIC and METI on June 8, 2004 call for consumers to be given options on how they might interfere with the reading of tags but appear to say nothing about rights to have the tag removed or destroyed.22 The guidelines provide that: 1) consumers must be notified of the presence of RFID tags; 2) consumers have the right to choose whether they want to use the tags; 3) RFID tag users must provide information about the public benefits of RFID tags; 4) the Personal Information Protection Act applies when there is matching between RFID tag-related data and databases; 5) tag users must restrict their use of personal information gathered through RFID tags; 6) tag users must ensure the accuracy of the personal information recorded through RFID tags; 7) appointment of information administrators; and 8) accountability and provision of information to consumers.23
In February 2005, NTT Data Corp. announced that it had developed a security system using integrated circuit tags designed to signal the whereabouts of children as a means of protecting them against a growing trend of kidnapping among schoolchildren.24 Some municipal and private schools have started testing this IC-tag tracking system.25
In March 2000, it was discovered that a research company had secretly conducted genetic tests on 1,000 blood samples obtained from people who had donated blood to the Japanese Red Cross Society. The Health and Welfare Ministry launched an investigation in November 1999 into reports that a dealer was selling private information on people receiving medical treatment, including their clinical histories. Several months later, Tohoku University in Sendai and the National Cardiovascular Center in the Osaka Prefecture city of Suita also disclosed that they had studied the genes of blood donors without obtaining their consent. A poll conducted by the Mainichi newspaper suggests that this is standard practice, finding that 70 percent of medicine faculties in 64 universities around Japan are conducting gene tests.26 Health and Welfare Minister Yuya Niwa said that the ministry is investigating the case and will consider setting up laws regulating such leakage of patients' medical data.
On December 17, 2004, METI released Guidelines for the Protection of Personal Information in Businesses That Use Human Genetic Information. The Guidelines require businesses using genetic information to give prior notification of the purpose of use of the genetic data, as well as get written consent from data subjects.27
The National Police Agency (NPA) revealed that the police are creating a system to collect DNA samples from criminal suspects upon obtaining court permission to do so, and to enter them into a database. The NPA had already started running a database on DNA collected from crime scenes. But the agency had been carefully discussing whether to create a database of DNA taken from crime suspects as such information is considered private information.28
In the same anti-crime package of bills under which the wiretapping law was passed, the Diet also provisionally approved the Basic Resident Registers Law, granting Tokyo the authority to issue an 11-digit number to every Japanese citizen and resident alien, and requiring all citizens and resident aliens to provide basic information ‚Äì name, date of birth, sex, and address. The registered data is computerized and connected to the nationwide Resident Registry Network System (RRNS, also called "Juki-Net") created by the law. The government planned to expand the use of the registry code to offer administrative services "more efficiently" via this network.29 The RRNS was partly launched on August 5, 2002. Yokohama, the nation's largest municipality, had originally given residents the choice to opt out of RRNS, but the municipality revoked this option in 2006.30 As of June 2007, three municipalities refuse to participate in Juki Net.31
The Nagano Prefecture carried out hacking, using a computer from outside the local body offices with a LAN connection and through the Internet, to verify the vulnerability of the RRNS system between September and November 2003.32 Their results found that access to private information on residents was accessible with local area network (LAN) connections, both from within and outside local body offices. Part of the tests also reportedly showed that it was possible to falsify personal data in the network and send it to servers nationwide.33 The Saga Prefectural Police arrested a 46-year-old man on suspicion of illegally obtaining a resident registry card of another man in September 2003. It is alleged that he used the card to borrow several hundred thousand yen from many consumer finance firms. This is the first arrest made over illegal use of RRNS.34
On May 31, 2005, the Kanazawa District Court ordered the government to delete personal information from the RRNS about 28 plaintiff-residents of the Ishikawa Prefecture.35 The court explicitly stated that the government violated the right to privacy considered in the Constitution as the right to control one's own information, and held that all residents' information was subject to privacy rights, and, therefore, that individuals' consent was required when it forcibly placed the plaintiffs' personal information on the RRNS.36 The Court, however, dismissed the plaintiffs' demand for compensation from the government.37 A day after this decision, the Nagoya District Court ruled that the RRNS does not violate privacy rights under the Constitution.38 The Nagoya District Court held that residents' names, addresses, birth dates and genders, plus 11-digit resident codes stored in the network that people can access over the network, "do not need to be highly protected." It held that the plaintiff's rights and legal interests had not been infringed upon.39 In both Nagoya and Kanazawa, the plaintiffs who comprised members of the Tokai and Ishikawa branches of a nationwide association against RRNS, insisted that their rights to privacy, guaranteed under Article 13 of the Constitution, were in jeopardy as the network shared basic personal information with the central and local governments.40
In November 2006, the Osaka Appeal Court (Osaka Koto Saibansho) permitted four residents of three cities in Osaka Prefecture to have their personal data removed from the RRNS. The Court rules that the entry of personal data into the national Juki Net database without residents' consent is unconstitutional.41 The mayor of one city has accepted the ruling, while the mayors of the other two municipalities said they will appeal the decision to the Supreme Court.42 In December 2006, the Nagoya Appeal Court came to the opposite conclusion and rejected a demand to delete plaintiffs' personal data.
As of July 2007, there are 14 decisions on the district court level, and two lawsuits remain. 13 decisions are for the defendant municipalities, and only one decision ruled in favor of the plaintiff. At the appeal court level, ten lawsuits are pending. There are two decisions, one for plaintiff, and the other for the defendant. The Supreme Court has two lawsuits still pending.43
In June 2002, the Defense Agency revealed that it had been collecting names of people requesting information via the new law and cross-referencing the list with private information, such as the political affiliations of the requestor.44 While it is as yet unclear whether the list constitutes a clear violation of the law, it has sparked a huge outcry by the public, including calls for the resignation of defense officials.45 On February 12, 2004, the Tokyo District Court ruled that a list compiled by the Defense Agency on people who sought information from it violated their privacy, and ordered the government to pay JPY 100,000 (~USD 915,600) in compensation to a writer who was on the list.46
According to the Cabinet Office's 2006 survey on the protection of personal information, 71.1 percent of people in Japan are worried that their personal information may be leaked from public entities and private firms, up drastically from 39.8 percent in a previous survey in 1989, and up slightly from 2002.47 The year 2004 saw many massive data leaks cases. It came to light that personal data of about 4.6 million subscribers to Yahoo BB (Broad Band Phone Service) Internet access service was leaked by its employees. The case is unprecedented in Japan in terms of volume.48 The Metropolitan Police Department arrested four persons for allegedly blackmailing Softbank Corp. ‚Äì the company that operates Yahoo BB ‚Äì as well as an affiliate, including the company employees, by threatening to leak confidential customer data they had illegally obtained from those companies. Softbank Corp. allowed several people to share the same ID and password to access its database. Stolen information included each subscriber's name, address, phone number, subscription starting date and e-mail address, but did not include credit card details.49 Three of Yahoo BB's customers launched a damages suit against the service operator Softbank Corp. before the Osaka District Court over the massive leak of customer information. The three plaintiffs, Yahoo BB's customers, are demanding JPY 100,000 each in compensation.50
There were other similar cases that resulted from failures in proper management of personal data involving such companies as Sanyo Shinpan Finance Co., one of the major consumer finance firms (up to two million customers' personal data),51 consumer credit company Nihon Shinpan (up to 100,000 customers),52 Suntry (75,000),53 major travel agent Hankyu Express (620,000),54 DSL service provider ACCA Networks (about one million),55 teleshop service JAPANET TAKATA (660,000),56 and Cosomo Oil (920,000).57
According to the Ministry of Internal Affairs and Communication, 52 cases involving major leaks of personal information were reported during the past three years.58
On May 12, 2004, METI‚Äôs Information Security Subcommittee resolved to call on the Government to amend the Criminal Code to include a criminal offense of "information theft." The Subcommittee called for the theft of information to attract the same penalties as the theft of any tangible object. Japanese law does not currently penalize the unauthorized electronic transfer of information, and the Personal Information Protection Act does not penalize individuals. METI will work with the Ministry of Justice and the Cabinet Office on the proposal to amend the law.59
Voting in Japan is voluntary for those 20 years of age or older.60 In 2001, the law governing elections in cities, towns, and villages was changed to allow electronic voting. Electronic voting was conducted at the municipal level for the first time in 2002, when the city of Niimi in the Prefecture of Okayama allowed their use in a mayoral and local assembly election.61 More than 15,000 voters at 43 polling locations in Niimi cast votes on touch-screen voting machines. The Public Management Ministry plans to revise the Public Office Election Law to allow the use of electronic voting for national elections.62 Before the use of electronic voting, all ballot selections were handwritten by voters and counted by hand.63
- 1. Email from Yukiko Miki, Information Clearinghouse, Japan, to Allison Knight, Research Director, Electronic Privacy Information Center, July 10, 2007 (on file with EPIC).
- 2. "Industry Guidelines on Personal Information Is Being Established," Nihon Keizai Shimbun, June 11, 2003.
- 3. "Individual Personal Information Laws Were Passed on," Nihon Keizai Shimbun, January 28, 2005.
- 4. http://www.jipdec.or.jp/security/privacy/index-e.html
- 5. Nigel Waters, "Reviewing the Adequacy of Privacy Protection in the Asia Pacific Region," IIR Conference Information Privacy - Data Protection, June 15, 1998, Sydney; see also, Ministry of International Trade and Industry, "Japan's Views on the Protection of Personal Data" (April 1998).
- 6. Raab, Bennett, Gellman & Waters, European Commission Tender No. XV/97/18/D, Application of a Methodology Designed to Assess the Adequacy of the Level of Protection of Individuals with Regard to Processing Personal Data: Test of the Method on Several Categories of Transfer, September 1998.
- 7. "Japan, US Bodies Ink Deal on Data-privacy Certification," The Yomiuri Shimbun, May 19, 2000.
- 8. http://privacymark.jp/
- 9. http://www.solon.org/Constitutions/Japan/English/english-Constitution.ht...
- 10. Law No. 137, 2001 was promulgated on November 30, 2001.
- 11. http://www.telesa.or.jp/guideline/pdf/provider_041006_2.pdf
- 12. "Japanese ISPs, Carriers, Users Release Guideline for ISP Privacy Protection Duties," Bureau of National Affairs Privacy Law Watch, April 17, 2002.
- 13. "The Court First Ruled that ISP Disclose Name of its User," Mainichi Shimbun, March 31, 2003.
- 14. http://www.telesa.or.jp/consortium/pdf/provider_070226_guideline.pdf
- 15. Email from Yasutaka Machimura, Hokkaido University School of Law, Japan, to Allison Knight, Research Director, Electronic Privacy Information Center, July 7, 2007 (on file with EPIC).
- 16. Toru Takahashi, "2 New Laws Aimed at Cutting Spam," Daily Yomiuri, July 2, 2002.
- 17. http://www.japancorp.net/Article.Asp?Art_ID=7368
- 18. http://www.rfidjournal.com/article/articleview/337/1/1/
- 19. "JR East to Extend E-Money Service with 'Suica' Smartcard," NE Asia News, February 19, 2004.
- 20. "METI to Form Consortium to Cut IC Tag Price to 5 Yen," Japan Today, March 25, 2004.
- 21. "Japan Moves to Protect Privacy to Promote Radio Tags," Jiji Press Ticker Service, February 23, 2004.
- 22. http://www.rfidbuzz.com/news/2004/japanese_rfid_privacy_guideline_releas...
- 23. The RFID Guidelines contain the following headings: "1. Purpose; 2. Scope; 3. Notification of the presence of RFID tags; 4. Ultimate right of consumer to choose to deactivate RFID tags; 5. Obligation to provide information on benefits of RFID tags; 6. Presumption for application of the Personal Information Protection Act to information stored on RFID tags; 7. Restriction on usage of personal data gathered from RFID tags; 8. Ensuring accuracy of personal information stored on RFID tags; 9. Assignment of Information Administrators for RFID-related issues; 10. Accountability to consumers; see also, Nihon Keizai Shimbun, June 8, 2004.
- 24. "NTT Data to Electronically Tag Kids," The Daily Yomiuri (Tokyo), February 22, 2005.
- 25. Id.
- 26. Manabu Yoshikawa and Yasuyoshi Tanaka Mainichi Shimbun, "Ethicists OK Gene-sample Research," Mainichi Daily News, May 8, 2000.
- 27. http://www.meti.go.jp/feedback/downloadfiles/i41227dj.pdf
- 28. "Japan's Police Have Decided to Keep a DNA Database on Crime Suspects, Officials Said," Mainichi Shimbun, April 28, 2005.
- 29. "Diet Passes Wiretap, ID Bills," Asia Intelligence Wire, August 13, 1999.
- 30. "Yokohama Gov‚Äôt to Submit Citizens‚Äô Data to Juki Net," TheDaily Yomiuri, May 11, 2006.
- 31. Id.
- 32. "Nagano Gov't Hackers Easily Infiltrate 'Big Brother' Network," Mainichi Daily News, December 16, 2003.
- 33. Id.
- 34. "1st Arrest Made over Illegal Juki Net Use," The Daily Yomiuri, February 8, 2004.
- 35. "Court Orders Government to Delete Residents' Personal Information from Registry Network," Mainichi Daily News, May 30, 2005.
- 36. "Juki Net Clouds Privacy Rights," The Daily Yomiuri, June 2, 2005,
- 37. Id; "The Defendant Ishikawa Prefecture Appealed to the Higher Court afterward," Mainichi Shimbun, June 7, 2005.
- 38. "Court Rules Juki Net not a Violation of Privacy," The Daily Yomiuri, June 1, 2005.
- 39. Id.
- 40. Id.
- 41. "Osaka court lets 4 remove information from Juki Net," Daily Yomiuri, December 1, 2006.
- 42. "Cities split on obeying court ruling on Juki Net," Japan Times, December 8, 2006.
- 43. Email from Yashuko Machimura, supra.
- 44. "MSDF Officer Compiled Personal Data on People Seeking Defense Agency Info," Japan Times, May 29, 2002.
- 45. "Private Data Kept by All SDF Arms," Japan Times, June 4, 2002.
- 46. "Court Rules Defense Agency's Info List Illegal, Violates Privacy," Japan Economic Newswire, February 12, 2004.
- 47. http://www8.cao.go.jp/survey/h18/h18-hogo/index.html
- 48. "Yahoo! BB subscriber info leaked," The Daily Yomiuri, February 25, 2004, at 1.
- 49. Id. As an apology to its customers, Softbank sent them JPY 500 gift certificates, a measure that could have cost the company about JPY four billion. Taiga Uranaka, "Softbank Offers 500 to Yahoo! BB Users, Confirms Data Leak on Millions," The Japan Times, February 28, 2004.
- 50. "Internet Customers Sue Yahoo! BB Operator over Info Leak," Mainichi Daily News, May 17, 2004.
- 51. Nihon Keizai Shimbun, May 11, 2004.
- 52. Id. April 26, 2004.
- 53. Id. March 30, 2004.
- 54. Id. June 2, 2004.
- 55. Id. May 25, 2004.
- 56. Id. May 9, 2004.
- 57. Id. June 8, 2004.
- 58. "Bills on Personal Data Seek Balance," The Daily Yomiuri, May 8, 2003.
- 59. "METI To Seek Law against Information Theft," Nihon Keizai Shimbun, May 15, 2004.
- 60. http://www.cia.gov/cia/publications/factbook/geos/ja.html#Govt
- 61. "Electronic Voting Opens New Doors," Mainichi Daily News, June 24, 2002.
- 62. "Electronic Vote Eyed for '04 Poll," The Daily Yomiuri, January 4, 2002.
- 63. Id.