Law Library Stacks

Back to Online Privacy Law

Online privacy in Japan is primarily governed by a general law, the Act on Protection of Personal Information (APPI), rather than a specialized law on online privacy. The APPI applies to business operators that hold the personal information of 5,000 or more individuals. Japan has other personal information protection laws that apply to the government and public organizations.

The APPI does not provide the details of personal information protection, but establishes basic rules. It requires all business operators handling personal information to specify the purpose for which personal information is utilized. Data subjects can request disclosure of their personal information that the business operators hold.

The APPI did not create a data protection agency and does not provide the government with strong enforcement powers. The legislature thought self- regulation by businesses would be appropriate. Businesses may form an Authorized Personal Information Protection Organization that issues personal information protection guidelines and mediates disputes.

I.  Legal Framework

There are three main laws related to the protection of personal information in Japan:

  • the Act on the Protection of Personal Information (APPI),[1]
  • the Act on the Protection of Personal Information Held by Administrative Organs,[2] and
  • the Act on the Protection of Personal Information Held by Independent Administrative Agencies, etc.[3]

The APPI outlines basic data protection policies. These are not limited to online data protection. Those businesses that are subject to the APPI must specify the purpose of personal information collection. The APPI requires businesses to prevent the unauthorized disclosure, loss, or destruction of personal data. It limits transfers of data to third parties unless the data subject consents. The other two laws apply to government agencies and independent administrative agencies, as the titles suggest.

The government has established the Basic Policy on the Protection of Personal Information,[4] as required by the APPI.[5] The Basic Policy sets out the basic direction and actions to be taken by the State, local public bodies, independent administrative agencies, and entities handling personal information. Also, based on the APPI, ministries have issued guidelines on the protection of personal information.[6] As of 2007, thirty-five guidelines had been issued. The Quality of Life Policy Bureau then called for uniformity in the guidelines.[7] In 2008, a number of government agencies met and decided to modify the guidelines to make them more uniform[8] in accordance with the Cabinet Office’s directive.[9] As of July 2010, there were forty guidelines and they are more uniform than before.[10]

Back to Top

II. Current Law

The APPI applies to any business in Japan that holds personal data.[11]Businesses that hold the personal data of less than 5,000 individuals are excluded.[12] In addition, the press, academic institutions, religious organizations, and political organizations are excluded, though they must try to take “necessary and appropriate measures for controlling the security of personal data, and the necessary measures for the processing of complaints about the handling of personal information.”[13] The term “personal information” means information about a living individual that identifies the specific individual by name, date of birth, or other description contained in such information, including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual.[14]

A.  Purpose of Utilization

The APPI requires all businesses handling personal information to specify the purpose for which personal information is utilized as much as possible. [15] Upon acquiring personal information, a business handling such information must promptly notify the data subject of the purpose of its utilization or publicly announce the purpose of utilization of personal information.[16] A business must obtain consent from data subjects before using the information for any other purpose than the one originally stated.[17] However, when the handling of personal information is based on laws and regulations or is necessary for the protection of the life, body, or property of an individual and it is difficult to obtain the consent of the data subject, as well as in other specified cases, prior consent may not be necessary.[18] A business handling personal information cannot change the purpose of utilization to the point where the new purpose of utilization is not duly related to the old one.[19] A business operator cannot acquire personal information by deception or other wrongful means.[20]

B.  Data Security

A business handling personal information must take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the personal data.[21] Two specific measures are prescribed in the law. One is supervision over the employee who handles personal data. A business operator must exercise necessary and appropriate supervision over the employee who handles personal data to ensure the security control of the personal data.[22] The other is supervision over the trustee who handles personal data for the business. When a business operator handling personal information entrusts an individual or a business operator with the handling of personal data in whole or in part, it must exercise necessary and appropriate supervision over the trustee to ensure the security control of the entrusted personal data.[23]

Ministry Guidelines provide more details on security measures. For example, the Guidelines on the Act on Protection of Personal Information in the Areas of Economy and Industry list examples of four types of measures: organizational measures, employee management, physical management, and technical measures. [24] As computer and  network security measures, it recommends control over data access, such as the number of people who can access  data at  the  same time,  and  blocking any  access  outside of  business  hours. It recommends that passwords have expiration dates and that IDs are suspended after someone has tried to log in with the wrong password for a certain number of times. It also recommends keeping firewall and antivirus software up to date.[25]

C.  Disclosure

With respect to retained personal data, a business operator handling personal information must make the following matters easily available for data subjects:

  • The name of the business operator handling personal information
  • The purpose of utilization of all retained personal data
  • Procedures for requesting corrections and disclosure, and filing complaints[26]
  • Contact information for the entity that accepts complaints, including contact information for the  Authorized  Personal  Information  Protection  Organization  to which the business operator belongs, if any[27]

When a data subject requests that a business operator handling personal information disclose retained personal data that may lead to the identification of the person, the business operator must disclose the retained personal data without delay. Such disclosure includes notifying the data subject that the business operator has no such retained personal data that may lead to his/her identification.[28] However, the business operator may keep all or part of the retained personal data undisclosed in those cases where disclosure

  • is likely to harm the life, body, property, or other rights or interests of the data subject or a third party;
  • is likely to seriously impede the proper execution of the business of the business operator handling personal information; or
  • violates other laws and regulations.[29]

When a business operator has decided not to disclose all or part of such retained personal data, the business operator must notify the data subject of that decision and the underlying reason without delay.[30]

D. Transfer to Third Party

A business operator handling personal information must not provide personal data to a third party without the prior consent of the data subject, except where the transfer is

  • based on laws and regulations;
  • necessary for the protection of the life, body, or property of an individual and it is difficult to obtain the consent of the data subject;
  • especially necessary for improving public health or promoting the sound growth of children and it is difficult to obtain the consent of the data subject; or
  • necessary for the affairs, prescribed by laws and regulations, conducted by a state organ, local government, or person who is authorized to conduct such affairs by these entities, where obtaining the consent of the person is likely to impede execution of the affairs.[31]

E.  Complaints and Remedies – Business Operator

The APPI states that a business operator handling personal information must endeavor to appropriately and promptly process complaints about the handling of personal information,[32] and recommends that such business operators establish a system for this processing.[33]

When a data subject requests that a business operator handling personal information correct, add, or delete such retained personal data as may lead to the identification of the person on the ground that the retained personal data is contrary to the facts, the business operator must make a necessary investigation without delay.[34] Based on the results of the investigation, the business operator must correct, add, or delete the retained personal data. There may be other laws and regulations that establish special procedures for such correction, addition, or deletion. In such cases, the business operator follows the established procedures.[35] The business operator must promptly notify the requester of its decision and the actions taken, including the content of the correction, addition, or deletion, if performed, or the reason for refusing to modify or delete the data.[36]

When a data subject finds that a business operator who handles personal information is using the retained personal data in a manner that may lead to the identification of the person beyond the stated purpose for the utilization of the data, or learns that the data was acquired by deception or other wrongful means, he or she may request that the business operator discontinue using or erase such retained personal data.[37] When the business operator finds that the request is well-founded, it must either discontinue using or erase the retained personal data concerned without delay, to the extent necessary for redressing the violation.[38] Also, when a data subject finds that a business operator is providing a third party with retained personal data that may lead to the identification of the person without having obtained the prior consent of the person, he or she may request that the business operator discontinue doing so.[39] If the business operator finds that the request is well-founded, it must discontinue providing the retained personal data to a third party without delay. However, in cases where it would cost a large amount of money or would otherwise be difficult to discontinue using or erase the retained personal data, the business operator may take alternative measures as long as those measures can protect the rights and interests of the person.[40] The business operator must promptly notify the data subject of its decision and, when the request is declined, the reason for refusing to act.[41]

A business operator may establish procedures for receiving requests [42] and collect a reasonable amount of fees to disclose retained personal information.[43]

F.   Complaints and Remedies – Authorized Personal Information Protection Organization

Because many business organizations issued guidelines on personal information protection and regulated their members before the enactment of the APPI,[44] the APPI followed a self-regulation model. Business operators typically form a juridical person, or an association or foundation, in order to conduct the following business for the purpose of ensuring the proper handling of personal information:

  • Processing complaints about the handling of personal information
  • Providing information for business operators to ensure the proper handling of personal information
  • Any other business necessary for ensuring the proper handling of personal information by target entities[45]

Such a juridical person, or an association or foundation, may apply for such an authorization with a competent minister. [46] The competent minister examines whether the applicant has sufficient knowledge, abilities, and financial backing and has established a business execution method necessary for properly and soundly processing complaints. If the applicant conducts any other business, the minister also considers whether that other business would impede the applicant’s fairness in terms of the proper handling of personal information.[47]

An Authorized Personal Information Protection Organization must issue personal information protection guidelines concerning the specification of the purpose of utilization, security control measures, procedures for complying with individuals’ requests, and other matters.[48] For example, regarding the Internet business, the Internet Association Japan issued Personal Information Guidelines on Electronic Network Management in 1994, and updated this document after the APPI was enacted.[49]

A data subject may file a complaint about the handling of personal information by a business operator with an Authorized Personal Information Protection Organization if the business operator is a member of the Organization. When an Authorized Personal Information Protection Organization receives such a complaint, the Organization must give the data subject necessary advice and investigate the circumstances pertaining to the complaint. The Organization also forwards the complaint to the business operator and requests that the operator resolve the complaint promptly. [50] Where an Authorized Personal Information Protection Organization finds it necessary for assessing the complaint, the Organization may request that the business operator provide explanations or submit relevant materials.[51]

It seems, however, that the ability of an Authorized Personal Information Protection Organization to resolve disputes between data subjects and business operators handling personal information is limited. In a 2008 court case where a data subject and a business operator disagreed on the proper handling of personal information, a district court held that the Authorized Personal Information Protection Organization did not have to continue mediating the dispute after the Organization had relayed the parties’ opinions and came to the point where both parties firmly disagreed with each other.[52]

G.  Complaints – Local Governments

The APPI obligates local governments to mediate the processing of complaints and take other necessary measures in order to ensure that any complaint arising between a business operator and a person regarding the handling of personal information will be handled appropriately and promptly. [53] Local governments have established a section to receive complaints on the handling of personal  information  and  to  advise  people  who  consult with them.[54]

H.    Complaints – National Consumer Affairs Center

The National Consumer Affairs Center also receives complaints, advises data subjects, and/or mediates disputes between the business operator handling personal information and the data subject.[55]

I.  Judicial Enforcement

The APPI does not have a provision for an injunction or civil damages when a business operator does not respond to or refuses a data subject’s request. One district court has held that a data subject cannot use a lawsuit to force a business operator handling personal information to disclose his/her information because a data subject must follow the procedures for information disclosure between a business operator and a data subject provided by the APPI.[56] As explained in section IV, below, this decision has been criticized.[57]

J.    Administrative Sanctions

See section III, below.

K.    Criminal Sanctions

Though it is not specifically designed to protect online privacy, Japan does have a law to punish unauthorized access to computers. The Act on the Prohibition of Unauthorized Computer Access punishes a person who accesses a computer by breaking access control measures, such as using the authorized person’s identification and password without authorization or by creating a security hole. These acts may be punished by imprisonment of not more than one year or a fine of not more than 500,000 yen (about US$6,200).[58] In a 2005 case a person accessed a website without authorization through a security hole and copied the personal information of 1,200 users of the website. He was found guilty and sentenced to eight months’ imprisonment, but the sentence was suspended.[59]

L. Cross Border Application

The APPI applies to business operators doing business in Japan.[60]

M.  PrivacyMark

The Japan Information Processing Development Corporation (JIPDEC) established the “PrivacyMark” system in 1998 upon instruction from the Ministry of International Trade and Industry (currently the Ministry of Economy, Trade and Industry, METI). [61] This  system assesses whether a business operator handling personal information has taken appropriate measures to protect personal information and grants those who meet certain standards the right to display the PrivacyMark label in the course of their business activities.[62] The system provides incentives for business operators to gain social credibility. A PrivacyMark conformity assessment body evaluates the business operator’s compliance with all relevant laws and regulations. [63] The system is in compliance with Japan Industrial Standards (Personal Information Protection Management System – Requirements, JIS Q15001 (2006)). [64] In accordance with the PrivacyMark agreement, a business operator who obtains the right to use the mark must report any incidents in which data subjects’ personal information was  leaked. JIPDEC reviews the incidents and may cancel the grant of the right to use the PrivacyMark.[65]

N.  Smartphones

There is no specific regulation on data collection by smartphone applications. As long as the business operator collects the personal information of 5,000 or more people, the APPI applies.

The Ministry of Internal Affairs and Communications (MIC) initiated the Smart Phone and Cloud Security Research Society in October 2011. The Society recently released a draft report on smartphone and cloud security, as explained in section VI of this report.

O.  Protection of Minors

Although protection of minors from harmful content on the Internet has been discussed in the government,[66] no regulation has yet been issued that addresses the topic.

Back to Top

III. Role of Competent Ministers

Japan has no data protection agency. Instead, the government ministers who have jurisdiction over the business of the business operator handling personal information (the “competent ministers”) oversee the handling of such information.[67] Business operators handling personal information related to employment management may have an additional competent minister: the Minister of Health, Labor and Welfare. In the case of the employment management of mariners, the Minister of Land, Infrastructure, Transport and Tourism is the additional competent minister.[68] The APPI states that competent ministers must maintain close contact and cooperate with each other.[69]

The competent minister may ask a business operator to report on the handling of personal information[70] and give its advice.[71] When a business operator handling personal information neglects its legal obligations (by using personal information beyond the scope necessary for the achievement of the purpose of utilization, not taking necessary and proper security measures, etc.), the competent Minister may recommend that the business operator cease the violation(s) and take  other necessary  corrective measures. [72] If a business operator handling personal information does not take the recommended measures without justifiable grounds after it has received the recommendation, and when the competent minister finds that a serious infringement of the rights and interests of individuals is imminent, the competent minister may order the business operator to take the measures that the minister recommends.[73]

In certain cases, a competent minister can skip the recommendation and immediately issue an order. Where the violation by a business operator handling personal information concerns the actions listed below, and the competent minister finds that urgent action is necessary as  there is a serious  infringement of  the  rights and  interests  of individuals, the competent  minister  may  order  the  business  operator  to  cease  the  violation  and  take  other necessary measures to rectify the violation.[74] These violations are:

  • Handling personal information beyond the scope necessary for the achievement of the purpose of utilization without obtaining the prior consent of the person[75]
  • Acquiring personal information by deception or other wrongful means[76]
  • Failing to take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the personal data[77]
  • Failing to exercise necessary and appropriate supervision over an employee who handles personal data for the security control of the personal data[78]
  • Failing to exercise necessary and appropriate supervision over the trustee of personal data for the security control of the entrusted personal data[79]
  • Providing personal data to a third party without obtaining the prior consent of the data subject[80]

Though the legal basis of the notice was not clearly specified, just before Google’s new privacy policy took effect on March 1, 2012, the MIC and METI issued a notice to Google Japan, emphasizing the importance of following the APPI and the Telecommunications Business Act.[81]

For an Authorized Personal Information Protection Organization, a competent minister is the minister that has granted the permission or approval of the organization or the minister who has jurisdiction over the business conducted by the member entities of the Authorized Personal Information Protection Organizations. [82] The competent minister may have an Authorized Personal Information Protection Organization make a report on the authorized businesses[83] and may order the organization to improve the method of conducting its authorized businesses, to amend its personal information protection guidelines, or to take any other necessary measures.[84] A competent minister may rescind its authorization when an Authorized Personal Information Protection Organization violates the APPI.[85]

If a business operator or an Authorized Personal Information Protection Organization did not make a report or submitted a false report after a competent minister’s request, it is subject to a fine of not more than 300,000 yen (about US$3,750).[86] When a business operator or an Authorized Personal Information Protection Organization violates a competent minister’s order, it is subject to a term of imprisonment of not more than six months or a fine of not more than 300,000 yen.[87]

Though Japan has no data protection agency, there is a coordinating body. When the APPI was enacted, the Quality of Life Policy Bureau of the Cabinet Office was designated as a coordinating body for the government agencies and given the task of promoting the protection of personal information.[88] When the Consumer Affairs Agency was established in 2009, these responsibilities were transferred to the Consumer Affairs Agency.[89] Based on article 53 of the APPI, all government agencies must submit an annual report on implementation of the APPI to the Consumer Affairs Agency. The Consumer Affairs Agency then issues an annual government report on implementation of the APPI.[90] The website of the Consumer Affairs Agency provides various   educational   materials   for   consumers    and    business    operators    handling personal information.[91]

Back to Top

IV.  Court Decisions

A.  APPI Cases

Several court cases have involved claims based on the APPI,[92] but most of them are irrelevant to online privacy issues. One of the few relevant cases involved the question of whether a data subject could use a judicial procedure to obtain his/her personal information from a business operator handling that  information. The Tokyo District Court denied the  data subject’s request based on the following grounds:

  • The APPI provides various measures to solve disputes outside of the judicial process. If the disclosure of personal information could be enforced directly by litigation, provisions of the APPI might be ignored and lose their importance, which was not intended.
  • Article 25, paragraph 1 of the APPI obligates business operators to disclose personal information. It does not state that data subjects have rights to  obtain  their personal information.[93]

The District Court’s decision has been criticized. For example, the Federation of Japan Bar Associations stated that the reasons the Tokyo District Court gave for its decision did not support the denial of the right of data subjects. Rather, the legislative history and the government materials that explained the APPI implied that the right would be enforceable by lawsuits.[94]

 

B.  Privacy and the Right to Control One’s Own Information

Though there is a no legal provision that explicitly protects the right to privacy, the right has been recognized by the courts. The first decision in which a court recognized the privacy right based on article 13 of the Constitution[95] was issued by the Tokyo District Court in 1964.[96] The first Supreme Court decision recognizing the right to privacy was rendered in 1969. [97] Article 13 of the Constitution states that

[a]ll of the people shall be respected as individuals. The right to life, liberty, and the pursuit of happiness shall, to the extent that it does not interfere with the public welfare, be the supreme consideration in legislation and in other governmental affairs.

In a 1969 Supreme Court case, a police officer took photos of street demonstrators on the front lines of a march who were suspected of violating the conditions that the local government imposed when it issued a permit for the demonstration. The photos were submitted to the court as one piece of the evidence. The defendant claimed that taking the photos was illegal because it violated his portrait right. The Court stated that individuals have the right not to have their photos taken without consent. However, it also stated that this right can be restricted when it interferes with public welfare. When a police officer takes photos of suspected criminals and crime scenes in an appropriate way in a given circumstance, it does not violate someone’s right to his portrait, the court said.[98]

Recently, the Supreme Court issued a decision on personal information databases and privacy, citing its 1969 decision. Japan has maintained the resident registry, a personal information database, since 1951.[99] Municipalities have maintained the basic resident registries that record the name, date of birth, sex, address, name of the head of the household, starting date of the residency, etc.[100] The government amended the Basic Resident Registry Law in 1999[101] in order to connect some of the information in the resident registries online between the national and local government agencies (Jūki Net) and make many national and  local  government resident services and other procedures effective.[102] The government launched Jūki Net in 2003 and linked residency registries of local governments by compiling citizens’ names, birth dates, sex, and addresses, and assigning an eleven-digit code to each person.[103]

At least seventeen citizen groups filed lawsuits against local governments, claiming that Jūki Net violates the right to privacy protected under article 13 of the Constitution.[104] Most courts dismissed the citizen groups’ claims, but the Kanazawa District Court[105] and the Osaka High Court[106] held that Jūki Net was unconstitutional. In particular, the Osaka High Court stated that the individual’s interest in determining how to deal with information concerning his/her private matters (the right to control one’s own information) is guaranteed by article 13 of the Constitution, as the right is included in the right to privacy. The court said that information concerning a person’s name, birth date, address, sex, and resident number is not in and of itself confidential information, but liberty in private lives can still be threatened if it is used against the data subjects’ will. Therefore, this information is subject to legal protection and subject to the right to protect one’s own information. The court also found a risk of misuse of personal information in the Jūki Net system.[107]

However, the Supreme Court reversed the Osaka High Court decision, stating that an individual’s name, birth date, address and sex, and resident number are not confidential; there is no significant system risk of leaking the information; and misuse by people handling the information is prohibited by administrative and criminal sanctions. Therefore, the government’s acts to manage and utilize Jūki Net did not violate the citizens’ liberty in private life protected under article 13 of the Constitution because it did not constitute the disclosure of personal information to a third party or make such information public without good reason. [108] The Supreme Court did not mention the right to control one’s own information.

Back to Top

V.  Public and Scholarly Opinion

According to a public opinion poll concerning personal information protection conducted by the Cabinet Office in 2006, about 70% of Japanese people are anxious about how their personal  information  is   handled,   such   as   the   unauthorized   distribution   of   their personal information.[109]

The Japan Federation of Bar Associations (JFBA) adopted a resolution demanding the protection of privacy in advanced information/communication networks in 2010. In the resolution, the JFBA recommended legislation to protect the right to control personal information. More specifically, it recommended a system whereby a data subject would be notified before his/her information was collected of the purpose and methods of collection. It also recommended that the government regulate the collection of data even if the data does not specify the identity of the data subject (and therefore is not subject to the APPI), such as behavioral targeting advertising.[110]

Back to Top

VI.  Government Research and Discussions

The government started to examine the possible introduction of a citizen identification system in September 2010. In February 2012, the Cabinet submitted a bill on the Act on Use of Numbers to Identify Individuals in Administrative Procedures.[111] This law would be a special law supplementing the APPI and laws on personal information protection for information held by the government and public entities, and would establish some exceptions for the provisions of the personal information protection laws.[112]

The Consumer Commission under the jurisdiction of the Cabinet Office is monitoring implementation of the APPI, and the MIC is monitoring issues relating to information communication technology. They continue to examine new situations and new technologies.

The Consumer Commission established the  Personal Information Protection Special Research Subcommittee in December 2009. The Subcommittee researches and discusses matters on the  proper handling  of personal  information and  reviews the  Basic Policy  on Personal Information Protection.[113] The Subcommittee submitted a report to the Consumer Committee in July 2011. [114] In that report, the Subcommittee recommended discussion of an independent organization to enforce personal information protection based on the discussion of the citizen identification system. [115] Such an organization would be established for the citizen number system when the Act on Use of Numbers to Identify Individuals in Administrative Procedures is enacted.[116] In the report, the Subcommittee also recommends, among other things,

  • discussions on expanding the scope of business operators handling personal information that are subject to the APPI (currently, only business operators dealing with the personal information of 5,000 or more people are covered);
  • promotion of technical measures to prevent accidents, such as encryption; and
  • clear provisions on the data subject’s right to obtain, correct, and seek to stop the use of personal information.[17]

In April 2009, the MIC established the Study Group on Consumer Issues with ICT Services in order to examine new issues that arise from the introduction of new services and new technologies in the field of communications.[118] The Study Group has researched various matters from time to time. One of the topics included the “lifelog” monitoring service. The Japanese use lifelog as a log of an individual’s life built up over time, including website browsing histories, purchasing and payment histories on e-commerce sites, and location information obtained from mobile devices’ global positioning system (GPS) data.[119]

The Study Group released a report, An Examination of Lifelog-Monitoring Services, in May 2010. [120] The report looked at behavioral advertising and location-based personalized assistance services. The report stated that “[p]roviders of behavioral advertising and similar applications are generally not thought to be business operators handling personal information, as legally defined, because the information they handle is, itself, not personal information.” [121] However,  that  information  typically  required  for  behavioral  advertising [122] “can  become personally identifiable when retained information permits the identification of a specific individual through simple reference to other information.”[123] In such cases, the APPI applies to the business operator.[24] In addition, the report states “lifelog-monitoring services, depending on their circumstances, can violate privacy rights or provoke consumer concerns.”[125] The report calls on business operators to take reasonable steps to preserve privacy, so that they can limit the likelihood of infringing upon privacy rights.[126]

The report rejects the suggestion that “administrative bodies draw up guidelines and procedures on the practices (of lifelog monitoring services) businesses should follow” because “lifelog-monitoring services are in their infancy and it is not wise to place excessive burdens on businesses that will hamper their growth.” [127] Instead, the Study Group recommends “encourag[ing] businesses to draft their own self-regulatory guidelines” in reference to the following six consumer-centric principles established by the Study Group:[128]

  1. Publicity, promotion, and education activities;
  2. Assurance of transparency;
  3. Assurance of opportunities for consumer participation;
  4. Assurance of data collection by appropriate means;
  5. Assurance of adequate security controls; and
  6. Assurance of frameworks to address complaints and inquiries.[129]

The report further examines “behavioral advertising using deep packet inspection (DPI) technology.”[130] DPI is “an advertising modality in which an Internet service provider (ISP) intercepts and inspects packets passing over its networks to predict customers’ preferences and interests—information that is then used to deliver targeted advertisements to customers.”[131] DPI “usually refers to the technology that parses the headers and payloads of packets passing over a network and screens them for certain communication characteristics and behaviors.” [132] In addition to the APPI and privacy violations, the breach of communication confidentiality matters “because DPI-based behavioral advertising involves ISPs inspecting packets passing over their networks.” [133] The report concludes that DPI-based behavioral advertising violates the confidentiality of communications without consumer consent. [134] The report states that “businesses engaged in DPI-based behavioral advertising should make their service mechanisms and operations sufficiently transparent to consumers”[135] and also recommends that businesses “[p]rovide consumers with opportunities to easily opt out.”[136]

After the report was released, the Japan Internet Advertising Association (JIAA) amended its Behavioral Advertising Guidelines in June 2010. [137] The amendment was also influenced by the Self-Regulatory Principles for Online Behavioral Advertising in the United States.[138] The 2010 amendment added articles concerning transparency and an opt-out option, among other things.[139]

The MIC initiated the Smart Phone and Cloud Security Research Society in October 2011.[140] The Research Society released its draft final report on smartphone and cloud security on April 26, 2012, and solicited public comments.[141] The final report was released on June 29, 2012. [142] MIC also launched the Working Group on the User Information Sent Through Smartphone in January 2012 to examine current conditions and consider policies necessary for the handling of smartphone user information.[143] The Working Group released its Interim Report in April 2012.[144] The Interim Report examined current conditions and a selected agenda: how to deal with user information and how to inform users.[145] The issue of protection of minors was included in the agenda. At the same time that it released the Interim Report, the Working Group issued the Smartphone Privacy Guide in order to inform users of the privacy risks of smartphones and how to deal with smartphones to protect their privacy.[146] The Working Group released its final draft report on June 29, 2012, and is now soliciting public comments.[147]

Back to Top

Sayuri Umeda
Senior Foreign Law Specialist
June 2012


[1] Privacy Act 1988 (Cth), http://www.comlaw.gov.au/Details/C2012C00271/. Other federal laws that are relevant to the protection of individuals’ privacy online include t

[1] Kojin jōhō no hogo ni kansuru hōritsu [Act on the Protection of Personal Information (APPI)], Act No. 57 of 2003 (May 30, 2003), last amended by Act No. 49 of 2009 (June 5, 2009). The English translation of selected laws are available on Japanese Law Translation, which is managed by the Ministry of Justice, at http://www.japaneselawtranslation.go.jp/ (last visited June 25, 2012); the English translation of the unamended version of the APPI is available at http://www.japaneselawtranslation.go.jp/law/detail_main?re=02&vm=
&id=130
.

[2] Gyōsei kikan no hoyū suru kojin jōhō no hogo ni kansuru hōritsu [Act on the Protection of Personal Information Held by Administrative Organs], Act No. 58 of 2003 (May 30, 2003), last amended by Act No. 102 of 2005 (Oct. 21, 2005).

[3] Dokuritsu gyōsei hōjin tō no hoyū suru kojin jōhō no hogo ni kansuru hōritsu [Act on the Protection of Personal Information Held by Independent Administrative Agencies], Act No. 59 of 2003 (May 30, 2003), last amended by Act No. 94 of 2011 (Aug. 10, 2011).

[4] Kojin jōhō no hogo ni kansuru kihon hōshin [Basic Policy on the Protection of Personal Information], Cabinet Decision (Apr. 2, 2004), last amended by Cabinet Decision (Sept. 1, 2009), http://www.caa.go.jp/seikatsu/kojin/kakugi2009.pdf, 2008 English version available at http://www.caa.go.jp/seikatsu/kojin/foreign/basic-policy-tentver.pdf.

[5] APPI art. 7.

[6] Id. arts. 6–8. Article 8 states that “the State shall provide information, [and] formulate guidelines to ensure the appropriate and effective implementation of measures to be taken by entities and others . . . .”

[7] Quality of Life Policy Bureau of the Cabinet Office, Kojin jōhō hogo ni kansuru torimatome (iken) [Summary Regarding Personal Information Protection (Opinion)] 9–11 (June 29, 2007), http://www.caa.go.jp/seikatsu/shingikai/kojin/20th/torimatome.pdf.

[8] Kojin jōhō no hogo ni kansuru gaidorain no kyōtsūka ni tsuite [Regarding Uniformity of Guidelines on Personal Information Protection], Consumer Affairs Agency, http://www.caa.go.jp/seikatsu/kojin/gaidorainkentou2.html (last visited June 5, 2012).

[9] Gaidorain no kyotsuka no kangaekata ni tsuite [Regarding the Concepts of Making Guidelines More Uniform], Cabinet Office (July 2010), http://www.caa.go.jp/seikatsu/kojin/gaidorainkentou/kyoutuuka2.pdf.

[10] Ministries’ guidelines are available at http://www.caa.go.jp/seikatsu/kojin/gaidorainkentou.html (last visited June 5, 2012).

[11] APPI, Act No. 57 of 2003 (May 30, 2003), last amended by Act No. 49 of 2009 (June 5, 2009), art. 2, para. 3.

[12] Kojin jōhō no hogo ni kansuru hōritsu shikō rei [Enforcement Order of the Act on the Protection of Personal Information], Cabinet Order No. 507 (Dec. 10, 2003), last amended by Cabinet Order No. 166 (May 1, 2008), art. 2.

[13] APPI art. 50, para. 3.

[14] Id. art. 2, para. 1.

[15] Id. art. 15, para. 1.

[16] Id. art. 18, para. 1.

[17] Id. art. 16, para. 1.

[18] Id. art. 16, para. 3.

[19] Id. art. 15, para. 2.

[20] Id. art. 17.

[21] Id. art. 20.

[22] Id. art. 21.

[23] Id. art. 22.

[24] Kojin jōhō no hogo ni kansuru hōritsu ni tsuite no keizai sangyō bunya o taishō to suru gaidorain [Guidelines on the Act on Protection of Personal Information in the Areas of Economy and Industry], Ministry of Health, Welfare and Labour and Ministry of Economy, Trade and Industry Ordinance No. 2, Oct. 9, 2009, http://www.meti.go.jp/policy/it_policy/privacy/kaisei-guideline.pdf.

[25] Id. at 36–37.

[26] APPI, Act No. 57 of 2003 (May 30, 2003), last amended by Act No. 49 of 2009 (June 5, 2009), art. 24, para. 1.

[27] Enforcement Order of the APPI, Cabinet Order No. 507 of 2003 (Dec. 10, 2003), last amended by Cabinet Order No. 166 of 2008 (May 1, 2008), art. 5.

[28] APPI art. 25, para. 1.

[29] Id.

[30] Id. art. 25, para. 2 & art. 28.

[31] Id. art. 23, para. 1. One example of the final exception is when hospitals submit certain patient information to the national cancer survey.

[32] Id. art. 31, para. 1.

[33] Id. art. 31, para. 2.

[34] Id. art. 26, para. 1.

[35] Id.

[36] Id. art. 26, para. 2 & art. 28.

[37] Id. art. 27, para. 1.

[38] Id.

[39] Id. art. 27, para. 2.

[40] Id. art. 27, paras. 1 & 2.

[41] Id. art. 27, para. 3 & art. 28.

[42] Id. art. 29; APPI Enforcement Order, Cabinet Order No. 507 of 2003 (Dec. 10, 2003), last amended by Cabinet Order No. 166 of 2008 (May 1, 2008), art. 7.

[43] APPI art. 30.

[44] SHIZUO FUJIWAYA AND KOJIN JŌHŌ HOGO HŌSEI KENKYŪKAI [PERSONAL INFORMATION LAW RESEARCH STUDY GROUP], KOJIN JŌHŌ HOGO HŌ NO KAISETSU [COMMENTARY ON THE ACT ON THE PROTECTION OF PERSONAL INFORMATION] 219 (Itsuo Sonobe ed., 2005).

[45] APPI art. 37, para. 1.

[46] Id. art. 37, para. 2.

[47] Id. art. 39.

[48] Id. art. 43.

[49] The Guidelines are available on the Internet Association Japan’s website, http://www.iajapan.org/privacy/ (in Japanese; last visited June 1, 2012).

[50] APPI art. 42, para. 1.

[51] Id. art. 42, para. 2.

[52] Tokyo Dist. Ct. Apr. 22, 2008, cited in Personal Information Protection Promotion Room, infra note 56, at 18.

[53] APPI art. 13.

[54] The Consumer Affairs Agency website lists telephone numbers and addresses of the section of local governments throughout Japan, http://www.caa.go.jp/seikatsu/kojin/kujyomadoguchi.html (in Japanese; last visited May 23, 2012).

[55] The National Consumer Affairs Center’s website lists examples of complaints and the Centers’ responses, at http://www.kokusen.go.jp/jirei/j-top_kojinjoho.html (in Japanese; last visited May 23, 2012).

[56] Kojin jōhō hogo hō ni okeru kujō shori ga saiban tetsuzuki de arasowareta rei ni tsuite [Regarding Lawsuits Where Complaints Concerning the Handling of Personal Information Were Involved], Personal Information Protection Promotion Room, Planning Section, Consumer Affairs Agency (Sept. 29, 2010), http://www.cao.go.jp/consumer/history/01/kabusoshiki/kojin/doc/002_
100929_sankou2.pdf
.

[57]Kojin jōhō hogo senmon chōsakai hiaringu kōmoku ni taisuru iken chinjutsu no kosshi [Main Points of Statements Regarding Item to Be Heard by Personal Information Protection Special Research Committee], Japan Federation of Bar Associations (May 20, 2011), http://www.cao.go.jp/consumer/history/01/kabusoshiki/kojin/doc/006_
110520_shiryou2.pdf
.

[58] Fusei akusesu kōi no kinshi ni kansuru hōritsu [Act on the Prohibition of Unauthorized Computer Access], Act No. 128 of 1999 (Aug. 13, 1999), arts. 3, 8.

[59] Moto kenkyūin ni yūzai hanketsu ACCS fusei akusesu jiken [Former Researcher Found Guilty, ACCS Unauthorized Access Case], IT MEDIA (Mar. 25, 2005), http://www.itmedia.co.jp/news/articles/0503/25/news022.html.

[60] KATSUYA UGA, KOJIN JŌHŌ HOGO HŌ NO CHIKUJŌ KAISETSU [ARTICLE-BY-ARTICLE COMMENTARY OF THE APPI] 37 (2005).

[61] Outline and Objective, JIPDEC, http://privacymark.org/privacy_mark/about/outline_and_purpose.html, (last modified Dec. 5, 2011).

[62] Id.

[63] About Conforminity [sic] Assessment Body, JIPDEC, http://privacymark.org/agency/about.html (last modified Dec. 5, 2011).

[64] Outline and Objective, JIPDEC, supra note 61. Japanese Industrial Standards specify the standards used for industrial activities in Japan. The standardization process is coordinated by the Japanese Industrial Standards Committee (JISC). JIS Q15001 is available in Japanese through the JISC online database, at http://www.jisc.go.jp/app/JPS/JPSO0020.html (last visited May 24, 2012).

[65] Puraibashi māku fuyo ni kansuru kiyaku [Agreement on Granting PrivacyMark] 1.2 version (Mar. 1, 2012), arts. 11, 12, 15, http://privacymark.jp/reference/pdf/pmark_guide120401/PMK500.pdf.

[66] Press Release, MIC, Recommendations on the Development of an Environment That Provides Safe and Secure Internet Use – Towards Protection for Minors in the Smartphone Age – “Study Group on Examining Issues Around ICT Services from the User Perspective” (Oct. 28, 2011), http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/Releases/Tele
communications/111028_f.html
.

[67] APPI, Act No. 57 of 2003 (May 30, 2003), last amended by Act No. 49 of 2009 (June 5, 2009), art. 36, para. 1.

[68] Id.

[69] Id. art. 36, para. 3.

[70] Id. art. 32.

[71] Id. art. 33.

[72] Id. art. 34, para. 1.

[73] Id. art. 34, para. 2.

[74] Id. art. 34, para. 3.

[75] Id. art. 16.

[76] Id. art. 17.

[77] Id. art. 20.

[78] Id. art. 21.

[79] Id. art. 22.

[80] Id. art. 23, para. 1.

[81] News Release, METI, Gūguru kabushiki kaisha ni taisuru chūi kanki bunsho no hasshutsu ni tsuite [Regarding Issuance of a Notice Encouraging Google to Be Careful] (Feb. 29, 2012), http://www.meti.go.jp/press/2011/02/20120229011/20120229011.pdf.

[82] APPI art. 49.

[83] Id. art. 46.

[84] Id. art. 47.

[85] Id. art. 48.

[86] Id. art. 57.

[87] Id. art. 56.

[88] APPI, Act No. 57 (May 30, 2003), art. 7, para. 3; Kōshin rireki no ichiran (heisei 21nen do) [List of Updates (2009 Fiscal Year)], Consumer Affairs Agency (Sept. 1, 2009), http://www.caa.go.jp/seikatsu/kojin/update2009.html.

[89] Consumer Affairs Agency, supra note 88. See also Shōhisha chō oyobi shōhisha iinkai secchi hō [Act on Establishment of Consumer Affairs Agency and Consumer Committee], Act No. 48 (June 5, 2009), art. 4, item 23.

[90] Heisei 22nen do ni oketu kojin jōhō no hogo ni kansuru hōritsu no shikō jōkyō no gaiyō ni tsuite [Regarding the Summary of Implementation of the APPI during 2010 Fiscal Year], Consumer Affairs Agency, second page (no page number), http://www.caa.go.jp/seikatsu/kojin/22-sekou.pdf.  The annual reports are available on the Agency’s website, at http://www.caa.go.jp/seikatsu/kojin/index_sub001.html.

[91] Personal Information Protection, CONSUMER AFFAIRS AGENCY, http://www.caa.go.jp/seikatsu/kojin/index.html (in Japanese; last visited May 31, 2012).

[92] Personal Information Protection Promotion Room, supra note 56.

[93] Tokyo Dist. Ct., June 27, 2007, Hei 18 (wa) no. 18312, HANREI JIHŌ 1978, 27.

[94] Japan Federation of Bar Associations, supra note 57.

[95] NIHONKOKU KENPŌ [CONSTITUTION OF JAPAN] (1946).

[96] Tokyo Dist. Ct., 1962 (wa) 1882 (Sept. 28, 1964), 15 KAMINSHŪ 9, 2317.

[97] S. Ct., 1965 (A) No. 1187, 23 KEISHŪ 12, 1625 (Dec. 24, 1969), http://www.courts.go.jp/hanrei/pdf/js_20100319120221050991.pdf; English translation available on Courts of Japan website, at http://www.courts.go.jp/english/judgments/text/1969.12.24-1965.-A-.No..1187.html.

[98] Id.

[99] Jūmin tōroku hō [Resident Registration Law], Act No. 218 of 1951 (June 8, 1951). The registration system changed when the Basic Resident Registry Law was enacted. Jūmin kihon daichō hō, Act No. 81 of 1967 (July 25, 1967).

[100] Basic Resident Registry Law, Act No. 81 of 1967 (July 25, 1967), art. 7.

[101] Act. No. 133 of 1999 (Aug. 18, 1999).

[102] Jūmin kihon daichō nettowāku shisutemu suishin kyōgikai [Basic Resident Registry Network Promotion Council], Jūmin kihon daichō nettowāku no gaiyō [Summary of Basic Resident Registry Network] 1, http://www.soumu.go.jp/main_sosiki/jichi_gyousei/c-gyousei/daityo/old/shousai/02_gaiyo.htm (last visited June 7, 2012).

[103] Resident Registry Launched in Trial Run for August, JAPAN TIMES (July 23, 2002), http://www.japantimes.co.jp/text/nn20020723a9.html.

[104] Jūi netto sashitome soshō o shien suru kai [Group Supporting Lawsuits to Suspend Jūki Net], 10gatsu 1tachi Jūki netto sashitome soshō sōkatsu kaigi [Conference to overview Jūki Net suspension lawsuits, October 1st] 11 (Oct. 29, 2011), http://www006.upp.so-net.ne.jp/jukisosho/torikumi/news45p2-p12.pdf.

[105] Kanazawa Dist. Ct., 2002 (wa) No. 836 and 2003 (wa) No. 114 (May 30, 2005), HANREI JIHŌ 1934, 3.

[106] Osaka High Ct. (Nov. 30, 2006). This case was reported in many news articles, but not listed in the court report.

[107] The case was summarized in the Supreme Court decision, infra note 108.

[108] S. Ct., 2007 (o) No. 403 (Mar. 6, 2008), 20 MINSHŪ 3, 665, http://www.courts.go.jp/hanrei/pdf/20080306142412.pdf.

[109] Quality of Life Policy Bureau, supra note 7, at 1.

[110] JFBA, “Kōdo jōhō tsūshin nettowāku shakai” ni okeru puraibashī ken hoshō shisutemu no jitsugen o motomeru ketsugi [Resolution Seeking Realization of Privacy Right Guarantee System in “Advanced Information/Communication Network”] (Oct. 8, 2010), http://www.nichibenren.or.jp/activity/document/civil_liberties/year/2010/
2010_2.html
.

[111] Gyōsei tetsuzuki ni okeru tokutei no kojin o shikibetsu suru tame no bangō no riyō tō ni kansuru hōritsu an [Bill of the Act on Use of Numbers to Identify Individuals in Administrative Procedures], Cabinet Bill No. 32 of 180th Diet Session.

[112] Id. art. 1.

[113] Shōhisha iinkai kojin jōhō hogo senmon chōsakai secchi/unei kitei [Rules on Establishment and Management of the Personal Information Protection Special Research Subcommittee, Consumer Committee], Consumer Committee Decision (Dec. 8, 2009), http://www.cao.go.jp/consumer/history/01/kabusoshiki/kojin/__icsFiles/
afieldfile/2010/11/24/131_kojinjoho.pdf
.

[114] Kojin jōhō hogo senmon chōsakai hōkokusho [Personal Information Protection Special Research Subcommittee Report], Personal Information Protection Special Research Subcommittee, Consumer Committee (July 2011), http://www.cao.go.jp/consumer/history/01/kabusoshiki/kojin/doc/
houkokusho.pdf
.

[115] Id. at 7.

[116] Bill of the Act on Use of Numbers to Identify Individuals in Administrative Procedures, Cabinet Bill No. 32 of 180th Diet Session, arts. 31–50.

[117] Personal Information Protection Special Research Subcommittee Report, supra note 114, at 10–16.

[118] Press Release, MIC, “Riyōsha shiten o fumaeta ICT sābisu ni kakaru shomondai ni kansuru kenkyūkai” no kaisai [First Meeting of “Study Group on Consumer Issues with ICT Services”] (Apr. 6, 2009), http://www.soumu.go.jp/menu_news/s-news/02kiban08_000004.html.

[119] STUDY GROUP ON CONSUMER ISSUES WITH ICT SERVICES, AN EXAMINATION OF LIFELOG-MONITORING SERVICES 3 (May 2010), http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/councilreport/pdf/
100526_1.pdf
; Japanese version available at http://www.soumu.go.jp/main_content/000067551.pdf (see Section II of the report).

[120] Id.

[121] Id. at 17.

[122] “Behavioral advertising and similar applications usually only require (a) logs of Web actions and habits (browsing, purchases, etc.) needed to predict consumer preferences and interests, (b) location information, and (c) IDs generated with cookies needed to acquire action logs and serve advertisements, or (d) subscriber IDs to identify mobile devices.” Id. at 14.

[123] Id. at 14–15.

[124] Id. at 17–18.

[125] Id. at 23.

[126] Id.

[127] Id. at 24.

[128]Id.

[129] Id. at 26.

[130] Id. at 33.

[131] Id.

[132] Id.

[133] Id. at 34.

[134] Id. at 39.

[135] Id.

[136] Id. at 40.

[137] The Behavioral Advertising Guidelines were first issued in June 2009. “Kōdō tāgetingu kōkoku gaidorain” no kaitei ni tsuite [Regarding Amendment of the Behavioral Advertising Guidelines], JIAA, June 24, 2010, at 1, http://www.jiaa.org/dbps_data/_material_/common/release/bta_guideline_
release_100624.pdf
(Guidelines attached to linked document).

[138] Id. The Self-Regulatory Principles for Online Behavioral Advertising are available on the Interactive Advertising Bureau’s website, at http://www.iab.net/public_policy/behavioral-advertisingprinciples (last visited May 29, 2012).

[139] Telecommunications Bureau, MIC, Dai 2ji teigen go no ugoki to kongo no kentō kadai ni tsuite [Regarding the Movement after the Second Proposal and Agenda], at 5 (Sept. 2010), http://www.soumu.go.jp/main_content/000081042.pdf.

[140] Press Release, MIC, “Sumāto phon / kuraudo sekyuriti kenkyūkai” no kaisai [Opening of “Smartphone / Cloud Security Society”] (Oct. 1, 2011), http://www.soumu.go.jp/menu_news/s-news/01ryutsu03_01000009.html.

[141] Appeal for Opinions on Draft Final Report from ‘Smart Phone and Cloud Security Research Society,’ MIC, Apr. 27, 2012, http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/Releases/
Telecommunications/120427_06.html
.  The records of the Society’s meetings and the final draft report are available in Japanese on the MIC website, at http://www.soumu.go.jp/menu_news/s-news/01ryutsu03_02000019.html (last visited May 30, 2012).

[142] The report is available on the MIC website, at http://www.soumu.go.jp/main_content/000166095.pdf (in Japanese; last visited June 30, 2012).

[143] Press Release, MIC, ‘Working Group on the User Information Sent Through Smartphone’ to Be Opened Under Study Group on Consumer Issues with ICT Services (Jan. 18, 2012), http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/Releases/
Telecommunications/12011801.html
.

[144] Press Release, MIC, Official Announcement of ‘Interim Report from Working Group on the User Information Sent through Smartphone’ Under Study Group on Consumer Issues with ICT Services (Apr. 11, 2012), http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/Releases/
Telecommunications/120411_01.html
.

[145] Sumātophon o keiyu shita riyōsha jōhō no toriatsukai ni kansuru WG chūkan torimatome [Interim Report from Working Group on the User Information Sent Through Smartphone] 33–40 (Apr. 2012), http://www.soumu.go.jp/main_content/000154856.pdf.

[146] The Smartphone Privacy Guide is available at the end of the Interim Report. Id. at 45.

[147] Press Release, MIC, Riyōsha shiten o humaeta ICT sābisu ni kakaru shomondai ni kansuru kenkyūkai teigen “sumāatofon puraibashī inishiatibu -riyōsha jōhō no tekisei na toriatsukai to riterashī kōjō ni yoru shin jidai inobēshon-“ (an) ni taisuru iken boshū [Public Comments accepted regarding “Smartphone privacy initiative – innovation in a new era by proper handling of user information and improvement of literacy” (Draft) proposed by Study Group on Examining Issues Around ICT Services from the User Perspective] (June 29, 2012), http://www.soumu.go.jp/menu_news/s-news/01kiban08_02000081.html.

Back to Top

 

 

Last Updated: 06/05/2015