2014 Japanese Privacy Law Revision Public Comments

KICIS | Asia Forum | ACCJAustralian Privacy Foundation | Researchers

On December 20, 2013, the IT Strategy Headquarters of Japan elected to conduct a revision of the Personal Data Use Law and in March of this year reconvened the Personal Data Commission to undertake the task of identifying and proposing new changes.

The following represents the collected and submitted public comments of KICIS, The Asia Forum on Cybersecurity & Privacy, the ACCJ, the Australian Privacy Foundation, and researchers at Keio University. The comments examine the impact of the revision to the Personal Data Utilization law in Japan from a variety of perspectives including consumer protection, promoting innovation, and adapting to changing technological climates.

Japanese language versions are available as PDFs when available.

Keio International Project for the Internet & Society (KICIS) | 日本語

KICIS Logo - PowerpointKICIS strongly welcomes the outline of proposed change in Japan’s data protection framework. Revisions to the current framework are long overdue and vital to strengthening competitiveness and growth in Japan’s Internet Economy. For that reason, we support the purpose of the government’s proposed reforms, i.e to “promote the utilization of personal data.” Japan has among the best infrastructure for the Internet, but utilization has lagged because companies and individuals have been reluctant to share data online. As a result, Japan has fallen behind other advanced countries in the deployment of new technologies, such as cloud computing and “big data.” We appreciate the Abe administration’s strong commitment to reversing this trend and recognition that a dynamic, market-based approach to rulemaking on privacy is essential for success. The top-down, centralized approach to data protection seen in Europe is not the solution for Japan and poses a threat to innovation and growth on the Internet. Information needs to be protected, but it is valuable only when it is shared.

An effective yet flexible data protection system requires two elements: a data protection authority with the mandate, budget and human resource to enforce compliance with agreed rules and a sectoral based rule-making process that involves all relevant stakeholders. In the healthcare sector, this means physicians, hospital administrators and patient rights groups; in advertising, it includes merchants, service providers and consumer interests. Getting the balance right is not easy.

The top-down, centralized approach to data protection seen in Europe is not the solution for Japan and poses a threat to innovation and growth on the Internet.

The United States has had mixed results in pursuing this policy over the past several years. Nonetheless, the Federal Trade Commission (FTC) is beginning to assert its power in this area and the National Telecommunications and Information Administration (NTIA) is working to develop a viable process for developing sector based voluntary “codes of conduct.” We are pleased that the Japanese government appears ready to take this approach and see it as an important area for US-Japan collaboration. We hope that the Japanese government will take the opportunity of the September 16-17 US-Japan Internet Economy Dialogue to discuss its plans in more depth with the US government and the private sectors of both countries.

Eliminating Overlapping Authorities within the GOJ for Data Protection
The record in Japan of independent regulatory authorities and commissions has not been good. A key reason has been the highly decentralized nature of Japan’s bureaucratic structures and the institutional weakness of the Cabinet Office in developing and enforcing government wide policies. Yet the advent of the Internet Economy is forcing change. Two years ago, the position of Chief Information Officer (CIO) was established to coordinate IT procurement policies and currently there is a bill before the Diet to create a Cybersecurity Center that will be responsible for setting standards and enforcing compliance to protect government services and other critical infrastructure from cyber-attack. The proposed “third party authority” is another in this series of institutional innovations. To succeed, it must be given the legal mandate, the budget and the professional human resources that it needs. While KICIS favors a market-based approach, we also believe that the proper functioning of the market requires government oversight and vigilance. Since the first years of this new institution will set its course, we recommend that the first chair of new “commission” be a leader with broad political and substantial business experience and that the appointment be made for a minimum of five years. We also would urge the selection of a broadly based group of commissioners, who reflect the interests and perspectives of the multistakeholder community.

Involvement of the Multistakeholder Community in the Rule Making Process

To succeed, the third party authority must be given the legal mandate, the budget and the professional human resources that it needs.

We see the recommendation for involvement of the multistakeholder community in the rule-making process for privacy a potential turning point for IT governance in Japan. It reflects the considerable discussion internationally as to how the Internet should be governed and the recognition that for the multistakeholder process to be relevant internationally it must be rooted in domestic political processes as well. KICIS has organized three multistakeholder forum on privacy over the past several months. In parallel, the Japan Network Information Center (JPNIC) has launched an Internet Governance Conference to discuss changes in the international administration of the Internet and what are the implications for Japan.

We look forward to an extensive discussion with the government and other relevant stakeholders as to how the multistakeholder principle should be implemented in decisions related to privacy. Understood properly, this is a step beyond the current system of advisory groups to the government and implies a certain degree of co-regulation.

__________________________________________________________________________________________________________

Asia Forum on Cybersecurity & Privacy | 日本語

Asia ForumThe Asia Forum welcomes the Japanese government’s proposals on reform of the framework governing the utilization of personal data. The Korean government carried out significant reforms in 2011 with passage of the Personal Data Protection Action, which has been described as the “strictest privacy law in Asia.” Among the reforms was the creation of a 15-member Data Protection Commission.

The Asia Forum strongly supports the stated objective of the Japanese government’s reform proposal

However, the complexity of administrative and enforcement structures related to privacy has limited the effectiveness of this body. The Asia Forum strongly supports the stated objective of the Japanese government’s reform proposal, which is to promote the greater utilization of personal data to support innovation and economic growth. Key to achieving this goal will be the establishment of a “third party authority” that has the legal mandate, budget and personnel necessary to establish a clear yet flexible set of rules to govern privacy and to enforce compliance with transparency and close attention to due process. Additionally, we urge attention to minimizing restrictions on cross-border transfers of data, steps to align Japan’s approach to personal data protection with international best practices, and the importance of establishing clear reporting requirements in the case of data breaches. We believe that close coordination of data protection policies between Japan and Korea can be an example for other countries in Asia and help promote greater integration of the emerging Internet Economy in the region.

The Asia Forum is a collaborative project of Keio University and Korea University that focuses on promoting joint research, faculty/student exchange and capacity building on challenges involving cybersecurity and Internet privacy. The Forum was launched in November 2012 and has organized a number of bilateral and international events in Tokyo and Seoul on issues, such as cloud computing, “big data,” the Internet of Things, responding to data breaches, protecting critical infrastructure, developing a cybersecurity curriculum and aligning national approaches in Asia to cybersecurity and privacy.

Ensure that the “Third Party Authority” has the Necessary Legal Mandate, Budget and Human Resources to Set Data Protection Policy and Enforce Compliance 

The Asia Forum supports the government’s outline of the structure and responsibilities of the new “third party authority.” We believe that the new organization should (1) serve as a “one-stop” window for engaging with the GOJ on privacy regulations, (2) administer privacy regulations for the GOJ comprehensively, in contrast to the currently fragmented policies and guidelines produced by various agencies, and (3) provide transparent and consistent positions on privacy matters for consumers, business and foreign governments. We urge that the new authority be given the personnel and budget required to meet these responsibilities. We understand that a transition period will be needed before the new agency is ready to oversee privacy policy independently and that close coordination with national ministries local governments will be continue to be essential. However, the new “third party authority” must have the tools and a clear mandate to set rules for privacy and to enforce compliance.

Minimize Restrictions on Cross-Border Data Transfers
The Asia Forum welcomes the recommendation by the Japanese government to establish an accountability-based transfer regime, based on a third party certification process which would set appropriate guidelines that companies would be expected to follow. We believe that such a market-based approach can facilitate trade, contribute to mutual recognition from foreign governments and alleviate concerns about Japanese protectionist measures in the data field. If certain areas, e.g., national security, require special guidelines, these should be regulated separately. Such policies will allow Japan to partner with Korea and advanced Internet economies in advocating for freer cross-border data flows in the face of barriers raised by other jurisdictions in the Asia region.

Align Japan’s Approach to Data Protection with International Best Practices
Discussion: The Asia Forum welcomes the emphasis in the government proposal on the need for Japan to better align its approach to personal data protection with international best practices. Such a position will make possible better coordination between the Japanese and Korean authorities in dealing with governments in the Asia region, which are taking national based approaches that endanger the smooth transfer of data across jurisdictions.

Both Japanese and Korean companies operating in the Asia-Pacific region have much to lose if other nations adopt inconsistent and discriminatory standards for cross-border data transfers.

Both Japanese and Korean companies operating in the Asia-Pacific region have much to lose if other nations adopt inconsistent and discriminatory standards for cross-border data transfers. As the Japan moves forward with reforming the legal framework for personal data protection, it should reference closely the recent experience of the Korean government in revising its privacy rules, with particular attention to strengthening coordination across government of privacy enforcement

Establish Clear Coordination and Reporting Requirements for Data Breaches
Recently it was discovered that nearly 100 million credit card accounts in Korea were compromised and the information sold to marketing firms. Such a massive data leakage can cause significant financial losses for firms and undermine the confidence of consumers.

In such cases, it is essential that the data protection authority have clear channels for communicating with police and other agencies in government responsible for cybersecurity. The Asia Forum supports the recommendation that the new “third party authority” work closely with the newly proposed Cabinet Cybersecurity Center to develop a consolidated approach to dealing with data breaches, reducing overlapping mandates among government agencies and strengthening coordination. To promote private sector cooperation, incident reporting requirements should be aligned with the severity of the security breach and firms reporting breaches should be given access to information held by the government regarding the latest developments related to potential future threats.

__________________________________________________________________________________________________________

American Chamber of Commerce in Japan (ACCJ) | 日本語

ACCJ logoThe American Chamber of Commerce in Japan (ACCJ) appreciates the thoughtful recommendations advanced by the Personal Information Review Working group and its focus on creating a regulatory environment that facilitates cross border transfers of data and promotes the greater utilization of “big data” and cloud services. The hard work however, starts now. The new “third party authority” will need the budget and personnel to meet the ambitious new responsibilities assigned to it. It will have a full agenda because many important issues remain unresolved.

Among them are: 1) the definition of quasi personal data and personal information deemed “sensitive; 2) the mechanics for involving the multistakeholder community in rule-making; 3) the details of how the new “third party authority” will working with existing ministries in managing privacy policy; 4) the framework for cooperation between the “third party authority” and the new Cybersecurity Center; 5) an agreed process for consumer consent (including opt-out), for the handling of requests for disclosure or deletion of personal data and for managing issues associated with profiling; 6) rules for accrediting third-party organizations to oversee cross-border transfers of data; and 7) the development of equitable dispute settlement mechanism with attention to assuring due process and penalties that are proportionate to the size, sensitivity and intentionality of the offense.

The hard work however, starts now.

The ACCJ member companies look forward to working closely with the GOJ and the new “third party authority” as it addresses these issues before and subsequent to the legislative adoption of the new privacy framework. We are reassured by the tenor of the recommendations and discussion in the Working Group Report to the effect that changes to Japan’s privacy framework is on the right course and urge that reforms to the current regulations governing the use of personal information take the least restrictive approach, respect due process, limit compliance costs and seek to integrate the views of the multistakeholder community into the development and implementation of any new framework for privacy protection.

Promoting Utilization of Personal Data for Commercial Purposes
The ACCJ strongly supports the Working Group’s stated objective of “removing barriers to commercial use of personal data.” While personal information needs to be protected, the utilization of personal data is important 1) for providing a competitive range of value-added products and services for consumers, 2) for promoting the vitality of the private sector, and 3) as a source of new businesses and economic growth. We welcome the clear statement in the Working Group report that the appropriate utilization of personal information is important for achieving economic growth and innovation, and for bringing new benefits to consumers.

A “Dynamic” Approach to the Protection of Personal Information
In assessing potential privacy issues, the approach under the current law has been to consider only what is specifically permitted under the regulation. As a result, even in cases where a particular use may occasion little risk of infringing individual rights and interests, businesses have been reluctant to introduce new and innovative ways of using personal information out of a fear that such new uses do not fall precisely within existing definitions of which data is protected. Among the recommendations in the Working Group Report is a call for a “dynamic” approach to protecting privacy, based on the recognition that there are “limits” to how effective laws and guidelines can be in dealing with a fast changing technology and business environment. The ACCJ supports this proposal and suggests that a “dynamic” approach to protecting personal information should include consideration of both the legal and commercial aspects of new uses for personal information, including a balancing of the actual risks of infringement with legitimate expectations of privacy.

Involvement of the Multistakeholder Community in the Rule Making Process
The ACCJ has long argued for a more open and transparent rule-making process for data protection in Japan. We are consequently pleased that the Working Group also sees a prominent role for the multistakeholder community in the development of codes of conduct as a key element of Japan’s new privacy framework. The foreign business community is ready to play an active role in this process and we believe that the recent experience of the U.S. National Telecommunications and Information Administration (NTIA) in working with a mixed group of government, academic, technical and civil society representatives to develop a “code of conduct” for mobile application transparency offers a point of reference to the new “third party authority” in considering how to structure this process.

The foreign business community is ready to play an active role in the multistakeholder process

Key to the success of this approach will be strong efforts to involve all relevant stakeholders and measures to support capacity building, so as to enable stakeholders to participate effectively. Credible and effective enforcement of codes developed through this process is also vital.

Eliminating Overlapping Authorities within the GOJ for Data Protection
The ACCJ supports the Working Group’s outline for the structure and responsibilities of the new “third party authority.” We believe that the new organization should (1) serve as a “one-stop” window for engaging with the GOJ on privacy regulations, (2) administer privacy regulations for the GOJ comprehensively, in contrast to the currently fragmented policies and guidelines produced by various agencies, and (3) provide transparent and consistent positions on privacy matters for consumers, business and foreign governments. We urge that the new authority be given the personnel and budget required to meet these responsibilities.

We further agree that a transition period will be required before the new agency is ready to oversee privacy policy independently and that close coordination with ministries having responsibilities in this area and with local governments will be essential during this period and afterwards as well. Additionally, in cases where existing agencies will continue to have a supervisory role in a specific sector, such as the Financial Services Agency (FSA), the new privacy authority should not impose duplicative and possible conflicting requirements, including requirements for third party certification.

Clarification of the Definition and Scope of Personal Information
The Working Report directly takes up the problem of the “grey zone” with regard to the current legal framework for personal data protection in Japan, acknowledging that it has slowed innovation and growth in the utilization of personal information. The report underscores the need to clearly lay out the definition and scope of personal information to be protected under the new law. The ACCJ agrees that the definition of personal information under the current law is vague and has created a great deal of uncertainty for business. We are particularly concerned about how quasi personal information, which is not mentioned in the Working Group Report, will be treated. The ACCJ believes that definitions of personal information and policies derived from these definitions need to strike a balance between the rights of individuals to privacy and the benefits to the economy of the greater utilization of data. Moreover, new definitions should also take into account the compliance costs for business, since these ultimately are borne by the consumer.

Permitting Transfer of De-identified Data to Third-Parties
The ACCJ believes that new regulations in Japan should include provisions that encourage the use of de-identified data as an alternative to using personal data. De-identified data has the potential to provide many of the same benefits to businesses and consumers that personal data does, but at a reduced risk to individual privacy. We consequently welcome the recommendation from the Working Group permitting the use of de-identified information without the specific consent of the individual. In implementing the recommendation, we encourage the GOJ to reference criteria adopted by the U.S. Federal Trade Commission (FTC) in 2012 for the handling of de-identified data. These include: 1) reasonable efforts to ensure that data ide-identified; 2) a public commitment to use the data in a de-identified fashion; and 3) guarantees that data will not be re-identified. Any guidelines for de-identifying data should be flexible enough to keep with technological innovation and provide companies complying with this guidance with safe harbor. We welcome the Working Group suggestion that guidelines for data processing methods be flexible and include private sector input. Involvement by the “third party authority” in this process should be kept to a minimum given the fast changing nature of the business environment.

Facilitating Obtaining Consumer Consent for Repurposing Data Usage
The ACCJ applauds the Working Group’s recommendation that, in the case of de-identified data, usage should be permitted beyond the scope of original consent as long as the processing of the data is consistent with relevant guidelines. We also note that the Working Group is asking the new “third party authority” to develop a framework for allowing users to opt out when personal data will be used for purposes other than originally agreed to. The ACCJ believes that rules regarding when consumer consent is required and how that consent is obtained should be commensurate with the sensitivity of the data and the purposes for which the data is used, including any secondary uses. In most cases, first consent should be construed to cover subsequent usage of data for the same purpose, i.e. there should not be a requirement to reconfirm consent as long as the service is provided within the scope of the original consent. We recommend that an early priority for the “third party authority” should be to engage the multistakeholder community to develop a comprehensive and coherent approach in this area, with principles-based rules.

Clarification of Procedures for Data Disclosure and Deletion
The Working Group is asking the new “third party authority” to clarify data controllers’ responsibilities in responding to data disclosure or deletion requests, maintaining a balance between the rights of users and compliance costs to business. The ACCJ believes that there is good reason to exempt the following data categories from disclosure or deletion requirements. They include a) data that was de-identified with no intention to re-identify; b) data that requires continuing storage to comply with tax and other regulatory requirements; c) data that was collected during the course of correspondence with the consumer; d) data that may create potential privacy or other civil liberties issues for others, if disclosed; and e) data that was posted to third-party services such as SNS by users. Additionally, we believe that further discussion is required before establishing any new right for individuals to file a civil suit through the court system to seek disclosure or deletion of personal information.

Consolidating Reporting Requirements in Cases of Data Breaches
Currently, when a data breach occurs, companies may receive duplicative inquiries from different ministries/agencies. Responding to these multiple requests raises the cost of doing business. We urge that the new “third party authority” work closely with the newly proposed Cybersecurity Center to develop a consolidated approach to cyber incidents, eliminating overlapping mandates of government authorities in this area. Additionally, incident reporting requirements should be aligned with the severity of the security breach and firms reporting breaches should be given access to information held by the third party authority regarding the latest developments related to potential future threats.

Minimizing Restrictions on Cross-Border Data Flows
The ACCJ welcomes the recommendation by the Working Group to establish an accountability-based transfer regime, based on a third party certification process which would set appropriate guidelines that companies would be expected to follow. We believe that such a market-based approach would facilitate trade, contribute to mutual recognition from foreign governments and alleviate concerns about Japanese protectionist measures in the data field. If certain areas, e.g., national security, require special guidelines, these could be regulated separately. Such policies would allow Japan to advocate more effectively in regional and global fora, such as Asia-Pacific Economic Cooperation (APEC), the Trans-Pacific Partnership (TPP) and others, for freer cross-border data flows in the face of barriers raised by other jurisdictions in the region.

Avoiding Conflicting Legal Frameworks
Companies offering data services globally are often beset by conflicting regulatory requirements and associated penalties. We welcome the Working Group’s emphasis on the need for the GOJ to align its approach to personal data protection with international best practices. This gives the GOJ a strong position in dealing with those foreign governments that take national based approaches, which endanger the smooth transfer of data across jurisdictions. Both U.S. and Japanese companies operating in the Asia-Pacific region have much to lose if third countries adopt inconsistent and discriminatory standards for cross-border data transfers.

Such policies would allow Japan to advocate more effectively in regional and global fora, such as Asia-Pacific Economic Cooperation (APEC), the Trans-Pacific Partnership (TPP) and others, for freer cross-border data flows in the face of barriers raised by other jurisdictions in the region.

The United States and Japan should set an example by taking steps to better align their domestic legal frameworks for protecting personal data, using the U.S.-Japan Policy Cooperation Dialogue on the Internet Economy as a forum for developing joint approaches to third countries.

Respect for Due Process and Support for Constructive Solutions to Data Breaches
The GOJ should seek constructive solutions to problems involving data protection and avoid the imposition of excessive fines, including the provision of a reduction in penalties in cases where organizations comply with recognized privacy rules and the use of high standard security technology and protocols. We note that the Working Group will continue to develop recommendations in this area and urge them to consider mandating that the “third party authority” establish a notice and hearing process that protects the interests of both consumers and service providers. Such a posture by the GOJ would contribute to mutual recognition with foreign governments and serve as an incentive for companies to actively protect personal data by utilizing existing globally recognized privacy protection frameworks, such as the APEC Cross Border Privacy Rules (CBPR).

__________________________________________________________________________________________________________

Australian Privacy Foundation

Australian Privacy FoundationThe Australian Privacy Foundation (APF) is making this submission regarding Japan’s proposed changes to its data privacy law via APF’s International Committee. Like Japan, Australia is an APEC Member economy, and a potential participant in the APEC CBPs, and therefore has a direct interest in the strength and credibility of Japan’s data privacy laws, because they have the potential to affect Australian citizens and consumers. The APF is Australia’s only non-government organisation dedicated to privacy advocacy, operating since 1987. Background on the APF is available at www.privacy.org.au.

The APF makes the following submissions concerning Japan’s proposals:

1. Japan’s Personal Information Protection Act (PIPA) has the weakest privacy principles of any Asia-Pacific country that has a data privacy law. These proposals will, overall, weaken the principles in Japan’s law, although they do have some positive aspects. To obtain international credibility for its privacy laws, Japan needs to move its law more in line with the 103 other countries with data privacy laws, rather than aligning itself with the isolated United States position of no comprehensive privacy law. Suggested improvements to privacy principles are in the following submissions.

The proposal to remove most privacy protections from supposed ‘reduced identifiabilty’ data will depart from current international standards for ‘personal data’ and put Japan out-of-step with other countries, rather than in advance of them. No standards for de-identification are proposed, and it will be essentially a self-regulatory system, No penalties are proposed against any party if data is in fact re-identified. This is simply a ‘best efforts’ approach with no consequences for ‘failure’ to de-identify. It will destroy protections for consumers (and consumer confidence in e-commerce), and pose a moral hazard to businesses. Japan can find better ways to improve socially valuable utilization of personal data than this ill-considered approach. These proposed changes will provide little benefit to most Japanese businesses, and will primarily benefit to business interests.

3. Japan already has very weak limitations on both change of use (to ‘duly related’ uses) and disclosure to third parties (an ‘opt out’ procedure – see PIPA art. 23). The proposal to have an ‘opt out’ for any change of use, without need to directly notify individuals (a notification to the DPA and publication may suffice) is not found in any other country’s law, will reduce consumer protection, and may not comply with the OECD Guidelines.

4. No requirement of deletion of personal data at any time is in the current PIPA, or is proposed (although business might be required to publish deletion / retention periods). Almost all countries now require deletion when use is completed, including 7/11 Asian jurisdictions with data privacy laws.

5. It is not clear under PIPA how a consumer is able to insist on their rights of access or correction, which is a unique deficiency in data privacy laws. The proposals imply that this will be corrected, and such correction is welcome and necessary. It is desirable that the right of access, and all other individual rights, should be enforceable by the new DPA (‘3rd party organization), and also by judicial bodies.

6. PIPA does not at present include any definition of, or special rules about, ‘sensitive information’. The proposals to define categories of ‘sensitive information’ and give them additional protections are desirable, provided that protections for other personal data are not weakened.

7. The proposals to have rules under the law made by ‘multi-stakeholder’ processes (MSPs) which will include businesses, government, experts and consumers are not in the interests of consumers. MSPs are inherently unbalanced because business and government can always afford to better represented, to attend more meetings, and to do so at remote locations. It will be difficult to make MSPs work for anyone other than business in the Japanese context.

8. Enforcement of PIPA is minimal. No Ministerial orders or prosecutions occur. Industry complaints bodies do very little. No clear procedures for individual complaints to be made – there is little transparency, and in particular no published results of complaints. Individuals cannot enforce PIPA in court to obtain compensation for breaches (Tokyo High Court decision). As a result, individuals have no effective enforceable rights under Japan’s law. This means it is a law which does not meet international standards. Strong reforms, including a central Data Protection Authority (DPA), enforceability and transparency are needed if Japan wants global credibility for its law. The following submissions suggest improvements needed to the government proposals in relation to enforcement.

9. The proposal to create what is called a ‘3rd Party Organisation’, but would elsewhere be called a data protection authority (DPA is the term used in this submission), is desirable if the DPA has strong enough powers and responsibilities. A strong DPA is necessary to give central coordination, direction and consistency, and a central locus for individual complaints and remedies. Japan’s current decentralized dispersal of authority between Ministries, local government bodies, and many semi-official industry and consumer bodies, is not effective.

10. The DPA needs to at least have powers to issue administrative fines, and to investigate and order remedies in relation to individual complaints (or refer such cases to an independent tribunal for final decision). These are the bare minimum requirements for any other DPA in the world (92 countries have DPAs plus many sub-national DPAs. If Japan is going to create a DPA, it should aim for a DPA which meets international standards and has credibility.

11. It is clear from the government’s proposals that at least some Ministries are trying to retain as much of their sectoral powers as possible, and are attempting to ensure that any ‘3rd party’ DPA does not have any serious powers within their sectors. These attempts should be resisted by the government, because the feudal Ministry-centred nature of Japan’s privacy law has made it ineffective. Business and consumers need consistent central guidance.

12. Government Ministries and agencies are also resisting having a DPA with enforcement powers over complaints against public sector agencies. Japanese citizens need an effective avenue to pursue public sector privacy complaints, which they do not have at present. If Japan does create a DPA, but it has no jurisdiction over Japan’s public sector privacy laws (except perhaps the ID number), it will be the only DPA in the world in such an invidious situation. This will not assist the international reputation of Japan’s law. The government should insist that the DPA covers the whole public sector in all its activities.

13. Individuals have at present no right to sue in court for damages for breaches of PIPA.
Most data privacy laws give a right to damages from either a court or DPA, including all European laws, and all data privacy laws in Asian countries except Malaysia and Japan. The proposals should include a right to obtain damages (including for non-pecuniary harm) from either the DPA or a court (or preferably either).

14. The proposals do not include any requirements of transparency of enforcement by publication of the outcomes of individual complaints. Other DPAs, in Asia (e.g. Hong Kong, Korea, Macau) publish such case summaries, as do many in other jurisdictions including the USA’s FTC. Publication of such summaries, not just statistics, should be required.

15. In conclusion, the APF gives strong support to the Japanese government taking this opportunity to revise its data privacy law after a decade of operation. However, while it is desirable to make the law more clear in its operation, to assist businesses, this should not involve weakening protections for consumers, because both the principles and the enforcement of the law need strengthening in consumer and citizen interests. The international credibility of Japan’s data privacy law also needs to be strengthened by bringing it more into line with standards adopted internationally, and in other countries in the Asia-Pacific, and by making its enforcement more transparent. In particular, it will not assist Japan to make a radical departure from the meaning of ‘personal information’ that has evolved over the past 30 years.

__________________________________________________________________________________________________________

Eiichiro Okuyama – Keio University, Faculty of Environment & Information Studies

20The Outline of the System Reform Concerning the Utilization of Personal Data is an extremely important and timely step in the development of the Internet Economy in Japan. Japanese business society has been falling behind in comparison to their foreign competitors in the last ten years. It is encouraging to see that Japan is taking an open approach to the Internet ecosystem rather than a regulated, government centric ecosystem like that in Europe and the neighboring Asian countries. An open and innovation driven Internet society is the direction Japan needs to go in order to stimulate the Japanese Internet economy and environment.

Although the direction is clearly stated, the way in which the government plans to proceed are not clearly defined. The government should address the following points and develop a thorough and thoughtful outline through further discussion.

1) Creating a detailed plan for transferring the set of powers to a trusted third party from the ministries.
2) Creating dynamic categories of data that can be keep up with the constantly changing Internet ecosystem.
3) Defining the “right to be forgotten” in the Japanese policy strategy.
4) Clarifying the relationship between the “third party authority” and the existing “Specific Personal Information Protection Commission” with regard to the “National ID System.”

Specific Comments

A developed strategy is necessary in order to ensure the transfer of powers from the ministries to the third party organization.

The largest obstacle in this process of change will be empowering the trusted third party. In the current organization, where each ministry watches over data related to their respected fields, it will be difficult to convince these ministries to turn over the power to a third party. Therefore, solutions to convince the ministries of the benefits will be necessary. I recommend a process in which the government offers incentives in supporting the third party and maintain full transparency in the process of shifting over power from the ministries to the third party to create a system of checks and balances.

Definition of key concepts should be flexible so as to adjust to the changing information technology scheme.

The key focus addressed in the outline was the creation of a privacy framework that would drive innovation in the Japanese economy. The outline suggests that through redefinition of important concepts businesses will be more confident and comfortable in utilizing cloud computing and big data. These backbone concepts will create the base of the Japanese privacy framework and will surely motivate the country to drive innovation in ICT. Although redefinition will make things clear for businesses as well as consumers as to what data can be utilized and what cannot, there is a concern that definitions will again change over time.

When defining new terms, it is important to create dynamic and flexible definitions that can react and deal with the constantly changing Internet society.

Therefore, when defining new terms, such as “quasi-personal” data and even old categories such as “personal data” and “non-personal” data, it is important to create dynamic and flexible definitions that can react and deal with the constantly changing Internet society.

A balance must be struck between allowing options like the “right to be forgotten” the concept of an open and transparent Internet.

Focus on the trust by consumers, the users who generate the personal information, was repeatedly addressed in the outline. Consumer trust requires a strong third party that can respond dynamically to their concerns. The “right to be forgotten” is part of this discussion. Yet the “right to be forgotten” goes against the basic concept of the Internet, which is to maintain openness and transparency in a single Internet. Consequently the third party must be able to judge claims and concerns from a step back and balance the benefits of the availability of information on the Internet to the risks when making the decision of allowing people the “right to be forgotten.”

The role of the third party organization must include the current and added functions to the Specific Personal Information Protection Commission (SPIPC) or the relationship must be defined in the privacy law in order to avoid the lack of coordination and unbalance of powers.

The introduction of the national ID system in 2016 will bring great changes to the Japanese society in regards to the citizens’ views on personal information. Both feelings of excitement and doubt can be expected from the upcoming changes. In order to gain the trust of the data providers for the purpose of effective data utilization under the national ID system, the role of the third party organization and SPIPC must be clearly defined in order to avoid national disaster. In the case of Korean Resident Registration Number system, the Korean national ID system, the Korean government faced delays due to the lack of coordination and communication between its three privacy organizations: the Ministry of Security and Public Administration (MOSPA), the Personal Information Protection Commission (PIPC), and the Korea Communications Commission (KCC). Japan must create a third party authority that can coordinate over all functions regarding Japanese privacy or specify the relationship between the third party and SPIPC in order to take effective and efficient measures in necessary situations.

__________________________________________________________________________________________________________

Rohan Wadhwa – Keio University, Faculty of Environment & Information Studies

27Eliminating the “grey zone” and making “de-identified” data widely available for business use.

Sharing “de-identified” personal data among several different organizations and corporations is essential for the growth of innovation and expanded research on benefits of data analysis. The decision to share anonymized personal information without the consent of the user could indeed facilitate and smoothen the process. Measures to anonymize the data before it could be shared be with third party organizations should be robust and be overseen by the independent “third party authority.”

The data sets being maintained should be designed to ensure that reconstructing personal information should not be an easy task. While any organization would like to reconstruct the personal information, consumers should be notified and informed about the corresponding disclosure rules. Regulations need to be introduced for the secondary use of data so that confidence between consumers and the service providers can be maintained.

Regulations need to be introduced for the secondary use of data so that confidence between consumers and the service providers can be maintained.

As expected, the exponential growth in technological innovations always seems to outpace any existing privacy framework implemented in law. Even though the “third party authority” will not be laying down specific guidelines to administer data processing methods, it is absolutely vital that the ”third party authority” conducts periodical validity checks which ensure that every organization’s data processing methods are in compliance with the enforced regulations. Controversial and new data processing methods should be carefully considered and only be authorized through consultation with all stakeholders.

Promoting cross-border data transfers through a third party accreditation process.

Many countries and regions, for example EU and Russia, have introduced strict data protection laws which restrict the usage of personal data in those regions itself. Proposed free cross border data transfers could be an important catalyst for Japanese businesses to utilize its pre-existing great Internet infrastructure and produce successful worldwide businesses which have been scarce so far.

Introducing a multistakeholder process to develop sectorial based privacy rules.

The introduction of multi-stakeholder process in the report is an encouraging step and goes hand in hand with the changing model of Internet governance worldwide. Proper representation from all concerned stakeholders should be ensured for the process to meet its objectives.