Just when Japanese and multinational companies were getting comfortable with the requirements of the Personal Information Protection Law (the "PIPL") and its guidelines, there are now signs that the law could be amended in the near future, placing additional burdens and complexity on companies already stretched thin.

On July 28, 2006, the Quality of Life Policy Bureau (the "Bureau"), a policymaking bureau within the Prime Minister's Cabinet Office, released an issue paper for public comment entitled Primary Issues for Consideration Regarding Personal Information Protection.¹

Industry practitioners, consumer groups, academics and lawyers alike used the issue paper and the invitation to submit public comment as an opportunity to air their views on the state of the PIPL.  Although collecting opinions fro stake holders was one of the stated aims of the Bureau in releasing this paper, it also reads in parts like a response to critics of the Bureau and the PIPL and a preemptive strike on future debate.

One gets this impression because while most items presented by the Bureau in the issue paper are phrased in an open-ended manner designed to elicit broad response, others are phrased in a purely rhetorical manner with the apparent intention of ending discussion or at least guiding it to a conclusion favored by the Bureau. While at still other times, the Bureau seems to have dropped any pretense of a desire to receive public comment regarding an issue and has responded directly to critics inside and outside of the government as to what it thinks the answer is or should be.  Finally, in addition to these mixed messages and multiple aims, it also reads like a trial balloon for future amendments being considered by the Bureau. For this reason, perhaps more than any other, practitioners should pay close attention to data protection developments in Japan over the next 12 months.

What the Issue Paper Says

What follows is my summary of the many issues raised by the Bureau in the paper.  For those issues that I felt read more like policy statements or were phrased rhetorically, I have tried to capture that nuance in my summary:

1. Provide comments on the fact that while some businesses have taken compliance with the PIPL very seriously, other businesses have failed to take sufficient measures. In addition, provide comments on the fact that because some small and medium-sized businesses are not subject to the PIPL, they are lagging in their efforts to protect data.

2. Provide comments on the so-called over-reaction by some businesses in their attempt to comply with the PIPL and whether the Bureau needs to clarify when personal information may be disclosed to third parties² as well as on the perceived burdens and obstacles faced by businesses publishing directories in obtaining consent from individuals.³

3. Comment on whether Japan should amend its definition of "personal information" to be consistent with the international view contained within the OECD guidelines that defines personal information to "mean[ ] any information relating to an identified or identifiable individual …"⁴.  Furthermore, provide comments on whether in light of the nature or the intended uses of personal data, whether stricter measures and rules should apply.

4. Comment on whether resident associations, alumni associations or businesses with fewer than 5,000 individual records should be relieved from complying with the PIPL.

5. Comment on whether interpretation of the PIPL should be made consistent with the predominant practices of business. And comment on whether some differences in interpretation, meaning and application among the 34 different guidelines covering 22 industrial sectors released by Japanese ministries is inevitable, but whether there are some areas of these guidelines that could be standardized and made consistent from one guideline to the next.

6. Comment on whether adhering to a privacy mark certification program helps businesses protect personal information. And comment on the perception that small and medium-sized businesses are burdened by information management costs associated with complying with the PIPL.

7. Comment on whether direct mail marketing campaigns used by businesses have been made more difficult under the PIPL. Also, what additional measures might be taken to prevent the misuse of personal information aside from the prohibitions currently provided in the PIPL?

8. Although the level of security demanded by society changes overtime, what level of data security should be implemented by businesses? Moreover, considering that security risks faced by businesses vary, should the security measures employed by a business meet the specific risk faced?

9. Although small and medium-sized businesses may not have the same resources (as larger businesses) to sufficiently manage and secure personal data, isn't it important that such businesses nevertheless improve their data security procedures?⁵

10. Comment on the perception by some that attempts by businesses to increase the protection of personal information in those areas where the security risk is particularly high have resulted in excessive burdens being placed on employees. Provide comments on employee video monitoring and the appropriate manner by which a business might implement such monitoring. Also comment on the appropriateness of the practice of including in employee pledges to protect personal information protection pledges to protect company trade secrets and provisions subjecting employees to damages for any breach.

11. Provide comments on the fact that security obligations placed on delegatees and sub-contractors handling personal data are being strengthened and increased. Also, comment on whether the outsourcing of data to a delegatee should be made more transparent to the data subject.⁶

12. Comment on whether businesses should be allowed to handle personal data obtained through publicly available directories separately from other personal data that they hold?

13. Comment on whether amendments to the PIPL are needed to prevent the scope of use of personal information from expanding in cases of delegation to a subcontractor, merger or joint use?

14. Comment on the perception of some businesses that the level of specificity required when disclosing a business's purpose of use is excessive.⁷

15. Comment on the opinion of some that businesses should be required to disclose to data subjects their sources of personal information. Because the apprehension of data subjects will likely not be dispelled, shouldn't businesses generally disclose in their privacy policies the sources of held personal data?

16. Currently, under the PIPL, individuals may only demand the cessation of use or deletion of their data in cases when data is improperly obtained or illegally used. Is the scope of this right appropriate?

17. Should approved personal information protection organizations be empowered to provide guidance and recommendations to (member) businesses in the case of, for example, data leakage or other violations?

18. Comment on whether Japan should have a more global perspective in how it protects personal information so as to make its system compatible with other systems around the world. Also, comment on the lack of any rules in the PIPL regarding cross-border transfer of data, which is different from the laws of most countries.

19. Comment on whether it is necessary to establish a neutral, independent data protection agency separate from the current competent ministry system as is the case in other countries around the world?

20. Provide comments on the fact that the PIPL does not generally protect the personal information of deceased individuals.⁸

As can be seen from the above, the paper covers a broad range of issues, including several that stand out as particularly concerning, which I turn to next.

Definition of Personal Information

The first issue that stood out to me was the possible expansion of the definition of personal information to include information that relates to an "identifiable" individual. Currently, the PIPL provides that "personal information" means information about a living individual that can identify the specific individual by name, date of birth or other description contained in such information (including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual). By adding the portion from the OECD definition to include information "relating to an identified or identifiable individual" the definition of the PIPL would be expanded, but it is arguable whether any such amendment would make the meaning of personal information any clearer for businesses to bring their practices into compliance or provide any additional protection to individuals.  Even if information on its own does not identify an individual, if it can be combined with other information accessible by the data controller, all such data falls within the scope of personal information.  As a result, information that relates to an "identifiable" individual is likely already subject to the PIPL in most cases.

Standardization Among Guidelines

A second concern is the paper's fatalistic comment that conflicting obligations between ministry guidelines might be inevitable and irresolvable. While there are likely high structural and political hurdles to overcome in trying to get the various ministries to agree to a common interpretation of important concepts and obligations under the PIPL, the belief that such hurdles can never be overcome, or are not worth trying to overcome, places the cost of this political disagreement on businesses.

Identity of Delegatees

A third concern is the possibility that companies may have to disclose delegatee and outsourcing subcontractors. Currently, under the exceptions provided in Article 23 of the PIPL, a business may delegate data processing activities to a service provider without the consent of or notice to the data subject. For many global multinationals, it may not be possible to stay on top of and disclose in a privacy statement, on an ever-changing basis, the identity of every delegatee.  The obligation that businesses disclose the identity of service providers might also provide a powerful tool to protectionists masquerading under the guise of data protection by labeling companies that outsource data overseas as less trustworthy.

Source of Personal Information

A fourth concern that stands out is the possibility that businesses might be required to disclose to data subjects the sources of their personal information. The Bureau also seems to half conclude that by disclosing the source of data, the apprehension of data subjects regarding the collection of their data will be reduced.  But business may fear reprisals from customers for having shared data or for having been the source of data, legitimately shared, and this may lead to businesses becoming more hesitant to share data, which will unnecessarily restrict the flow of information and data. 

Cross Border Transfers

A final concern raised by the paper is the prospect of restrictions being placed on cross-border transfers of personal data. The PIPL currently does not place any restriction on cross-border transfers of data. Instead, it requires businesses to obtain the consent (including opt-out consent) of data subjects before any personal data is disclosed to a third party, which includes any third party other than a delegatee, a merging company or a "joint user". Instead of viewing data transfers myopically by focusing on the geography of the parties, the PIPL, rightly in my opinion, focuses on obtaining consent from the data regarding the transfer itself. Hence, in exchange for not having restrictions on cross-border transfers, Japanese businesses are required to obtain consent from individuals prior to the transfer. If the PIPL were to be amended to include restrictions on cross-border transfers, the current, carefully crafted balance might be undermined and businesses may find it even harder to transfer data in and out of Japan because of the extra cross border hurdle being placed in front of them.  

Conclusion

Whether and how the PIPL will be amended is, at this point, unanswerable by anyone outside of the Bureau or the Cabinet, but any movements to amend the PIPL should be closely watched by businesses and practitioners alike.

1 http://www5.cao.go.jp/seikatsu/kojin/index.html (No English translation available).

2 The most frequently cited example was the refusal by some hospitals to release information to relatives inquiring whether loved ones were hospitalized after a large train wreck shortly after the PIPL went into effect.

3 In relation to this issue, the Bureau inserted a commentary note that the issue of individuals refusing to consent to being included in directories may not be a problem with the PIPL so much as a heightened sense of privacy now held by individuals and that individuals should be informed about opt-out procedures to resolve this issue.

4 Currently, Article 2 of the PIPL defines personal information to mean "information about a living individual that can identify the specific individual by name, date of birth or other description contained in such information (including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual)."

5 The Issue Paper further queried whether greater government involvement in training was necessary to support the efforts of businesses in light of Japan’s strong national policy on information security and whether within "information security management systems", there might not be some way to increase the overall level of security.

6 Currently, under the PIPL there is no obligation to disclose the identity of outsourcing delegatees to the data subject.

7 The Bureau then commented that because the PIPL provides that the purpose of use be described as concretely as possible, shouldn’t businesses’ attitudes towards specifying its purposes be improved (instead of the law).

8 Unlisted here were a few more issues regarding the personal information practices of local and regional governments within Japan.