Jump to ContentJump to Main Navigation
Bulk CollectionSystematic Government Access to Private-Sector Data$

Fred H. Cate and James X. Dempsey

Print publication date: 2017

Print ISBN-13: 9780190685515

Published to Oxford Scholarship Online: October 2017

DOI: 10.1093/oso/9780190685515.001.0001

Show Summary Details
Page of

PRINTED FROM OXFORD SCHOLARSHIP ONLINE (www.oxfordscholarship.com). (c) Copyright Oxford University Press, 2019. All Rights Reserved. An individual user may print out a PDF of a single chapter of a monograph in OSO for personal use. date: 12 December 2019

Systematic Government Access to Private-Sector Data in Japan

Systematic Government Access to Private-Sector Data in Japan

Chapter:
(p.275) 13 Systematic Government Access to Private-Sector Data in Japan
Source:
Bulk Collection
Author(s):

Motohiro Tsuchiya

Publisher:
Oxford University Press
DOI:10.1093/oso/9780190685515.003.0013

Abstract and Keywords

The Japanese legal system has been based on the German legal system since the mid-nineteenth century, but the American legal system was grafted onto it following Japan’s defeat in World War II in 1945. The postwar Constitution contained an article regarding the secrecy of communications and protected privacy in terms of respect of individuals. Now, as the Personal Information Protection Law in the Executive Branch, which was enacted in 1988, and the Personal Information Protection Law, which was enacted in 2003, strictly regulate privacy, there have been fewer problematic cases regarding governmental access to private-sector data. Data gathering for law enforcement or intelligence activities has also been weaker following World War II. Private-sector corporations/organizations might share data with government agencies, but based on voluntary arrangements, not by any mandatory system. More focus is being cast not on governmental access to private-sector data, but on citizen’s access to data.

Keywords:   Japanese privacy law, voluntary disclosures, private-sector data, personal information protection, data jurisdiction

I. Abstract

The Japanese legal system has been based on the German legal system since the mid-nineteenth century, but the American legal system was grafted on to it following Japan’s defeat in World War II in 1945. The postwar Constitution contained an article regarding the secrecy of communication and protected privacy in terms of respect of individuals. As of 2015, the Japanese government had 64,632 record files containing personal/privacy information of Japanese and foreign persons. Now, as the Personal Information Protection Law in the Executive Branch, which was enacted in 1988, and the Personal Information Protection Law, which was enacted in 2003, strictly regulate privacy, there have been fewer problematic cases regarding governmental access to private-sector data. Data gathering for law enforcement or intelligence activities has also been weaker following World War II. Private-sector corporations/organizations might share data with government agencies, but this is based on voluntary arrangements, not by any mandatory system. More focus is being cast not on governmental access to private-sector data, but on citizen’s access to data, which government agencies are holding, as well as the establishment of a national ID system.

II. National Legal Context and Fundamental Principles

After the Meiji Restoration in 1867, Japan started adopting Western-style legal systems, especially from Germany, or Prussia. Japan needed to place the reins of government back in the hands of the Emperor from the rule of the Shoguns of the Tokugawas from the seventeenth century to mid-nineteenth century. However, the Emperor was not to become an absolute ruler but the head of a constitutional monarchy comprising independent legislative, executive, and judicial branches. (p.276) Leaders of the Meiji Restoration needed the Emperor as a symbol of a new political system, but tried to retain actual power in their own hands. Prussia was an example of such a system. Other social systems were mixtures of other Western traditions. For example, the road system was adopted from the United Kingdom. Japan still drives on the left.

The attempt of the Empire of Japan to become a regional hegemon was defeated by Japan’s losing of World War II, which ended in 1945. The General Headquarters (GHQ) of the Allied Forces occupied the main four islands of Japan until 1952, while Okinawa was kept under the military administration of the United States until 1972. GHQ broke down many of the extant political, economic, and social systems in order to transform Japan into a more peaceful and democratic state. However, GHQ did not abolish the imperial system. This means that Japan’s current legal system retains elements of the prewar systems.

At first, GHQ tried to allow the Japanese to redesign a new constitution themselves, but their first draft was considered too conservative. Then, General Douglas MacArthur ordered his GHQ staff to draft a constitution, and it was handed to the Japanese drafters. As there were many New Dealers in GHQ, the new Constitution is imbued with idealism. For example, Article 9 abolished the use of armed forces to solve international disputes. But it became one of the core problems regarding Japanese postwar diplomacy and national security policy. Later administrations in the United States requested Japanese rearmament, and the Japan Self-Defence Forces was established under the Japan-US Security Treaty.

Although the Constitution introduced American idealism, many of the statutory laws inherited from the prewar systems were still influenced by the German legal system. That is, the American legal system was grafted on the previous system after Japan lost World War II. For 70 years after its promulgation, many people have tried or proposed modification of the Constitution, but such attempts have been unsuccessful as the procedure to do so is so difficult. In July 2016 House of Councilors election the Liberal Democratic Party, New Komeito, and other parties, which were in favor of revising the Constitution, won two-thirds of the House. It is one step further for the revision, but Prime Minister Shinzo Abe posed a cautious position, though the revision is his long-time ambition.

The Japanese Constitution does not have any specific stipulations regarding protecting privacy, but Article 13, that people be respected as individuals, is said to protect rights of privacy. And Article 21, “nor shall the secrecy of communication be violated,” clearly guarantees the secrecy of communication in writing. However, despite these articles in the Constitution, statutory laws were not enacted even after Japan regained its independence in 1952. The Personal Information Protection Law in the Executive Branch was enacted in 1988 and the Personal Information Protection Law covering the private sector was enacted in 2003. The 2003 Law was a direct response to the EU Data Protection Directive. Before the 2003 Law, there were privacy protection guidelines in each economic/social sector. There was no omnibus act covering public and private sectors on the same basis. Most of those guidelines were made by each sector or industry to cope with its own problems without statutory laws. The 2003 Law overrode (p.277) these guidelines and started regulating information gathering, storage, and dissemination in an excessive way. This has served to stifle government, business, and social activities. For example, in schools, parents cannot share their contact information, as school managers don’t want to take the risks of storing such “sensitive” information. The law doesn’t punish a thief who steals privacy information, but punishes an administrator who lets it be stolen. People, businesses, and even government agencies started avoiding holding privacy information.

Even before the 2003 Law, the Japanese government had hesitated to systematically access private-sector data. Based on bitter prewar and wartime experiences regarding the invasion of privacy and other human rights violations, Japan’s mass media strongly opposes the presence of any government hand in private-sector information. Therefore, formal access to such information is not favored in Japan. The government relies on weaker, informal access to private-sector data. The private sector has set up its own guidelines and the government requested reports from it based on business laws regulating each sector.

Governmental data collection is also limited in law enforcement and intelligence activities. There is no corresponding law to the IPA (Investigatory Powers Act) in the United Kingdom and the USA FREEDOM Act in the United States. Interception of communications, or wiretapping, is not a popular tool among Japanese law enforcement/intelligence agencies. This is a deep-seated taboo after World War II, based on the widely shared repentance that spy agencies and military police powers abused wiretapping during the war. Nonetheless, the Interception Law for law enforcement purposes was enacted in 1999 while loud oppositions were heard against the enactment, but executive wiretapping is not clearly authorized. There is no strong power to seek wider wiretapping in the Japanese society.

In these contexts, there seems to be very few cases of systematic access to private-sector data by the Japanese government, as far as the author finds.

III. Statutory and Regulatory Overview

A. Freedom to Collect and Store Information

In principle, there is freedom to collect information for the government or the private sector in Japan.1 However, in cases of invading others’ rights or of clearly violating the social order, such activities might be prohibited. Among others, in cases involving specific and sensitive information, invasion of privacy is recognized.2 However, there is no clear definition in the laws of what is “sensitive” (p.278) information. Section 4.4.2.3 of the Japanese Industrial Standards (JIS) Q 15001 defines it as follows:

  1. 1. Issues of thought, creed and religion

  2. 2. Race, nation, birthplace, domicile of origin, physical handicap, mental disability, criminal record, and other factors of social discrimination

  3. 3. Participatory status in a labor union

  4. 4. Participatory status in political activity

  5. 5. Medical and sexual life

Article 133 of the Criminal Law prohibits the opening of private mail. Articles 4 and 179 of the Telecommunications Business Law protect secrecy of communications. Article 3 of the Secrecy Protection Law regarding Japan-US Mutual Defense Aid Arrangements protects defense secrets connected to American military forces, but general defense secrets are not covered in full. A security clearance system has not been introduced to cover both the public and private sectors. One covers parts of the Ministry of Defence and the Self-Defence Forces.

Private-sector trade secrets are partially protected by Articles 3 and 4 of the Unfair Competition Prevention Law. It was revised in November 2005 to add penalties. Trade secrets must be kept secret and not be revealed to the public (Article 2).

Under the current laws, it is not necessarily illegal to steal information in Japan. If you take out confidential information from a stored place, you will be punished for stealing paper sheets or digital disks, not for stealing the information itself. However, the Unauthorised Access Prevention Law dissuades information theft in a sense. It was enacted in 1999 to respond to the rapid increase of computer-related crimes.

There is freedom to store information as well as collect information for the government and the private sector under the current laws in Japan.3 Usually it is not requested for any party to disclose what kinds of information are kept. However, if personal/private information is kept in one way or another, the Personal Information Protection Law can be applied to maintain such information securely.

It is possible for government to collect, store, or access information using its public powers. But such information can be regarded as public property. More people are claiming that government information activities be checked under citizens’ eyes.

B. Personal Information Protection Law

The most powerful law influencing governmental and private information activities is the Personal Information Protection Law enacted in 2003. The law strictly regulates the purpose of information collection and mandates strong protection of stored data. As a result of this law, collection and storage of personal/privacy data have stagnated in Japan. Incidental leaks of such data impose a high price for administrators in terms of compensation and reputation. It is also true for (p.279) government. Government agencies avoid unnecessary gathering of private data because of fear of being blamed following any leak of citizens’ privacy.

The law demands the definition of the purpose of data collection in each case to be as clear as possible (Article 20), and nobody can deal with data beyond defined purposes (Article 21). It is also forbidden to share data with a third party without consent (Article 28).4

As of 2015, the Japanese government has 64,632 record computer and manual (paper) files containing personal information of Japanese and foreign persons (Appendix 1).5 This number doesn’t include data on businesses corporations and other private organizations. Such files contain identifiers of more than 1,000 persons. If they contain fewer, they are not counted in this number. This number was reduced from 85,822 in 2011.

Table 13.1 shows examples of record systems containing personal information held by the Japanese government. The biggest owner of personal information among Japanese government agencies is the National Tax Agency, which gathers financial information on residents in Japan. Chapter 4 of the Establishment Law of the Ministry of Finance describes the mandates of the National Tax Agency. But it does not tell us how the agency is collecting data. (p.280)

Table 13.1. Examples of Record Systems Containing Personal Information Held by the Japanese Government

Ministry/Agency

Examples of Record Systems

National Tax Agency

Personal tax ledger; List of mandatory tax collector at the source; List of class attendants for alcohol selling; and others

Ministry of Justice

List of prisoners; Data on persons who enter and exit Japanese border (Japanese and foreigners); and others

National Police Agency

Drivers’ license information and others

Ministry of Foreign Affairs

List of foreign residents; Passport control file; List of foreign media; and others

Ministry of Health, Labour and Welfare

List of health care recipients; List of pension recipients; Public nursing care insurance recipients; List of money transfer to foreign countries; and others

Ministry of Defence

List of land owners for US bases

Ministry of Land, Infrastructure, Transport and Tourism

List of first-class architect; List of airline service employees; and others

source: http://www.soumu.go.jp/main_sosiki/gyoukan/kanri/pdf/shikojyokyo_h22/shikojyokyo_h22_12.pdf.

The government ministries, departments, and agencies are collecting these data based on (1) establishment laws of each government sector, and (2) business laws regulating each economic sector. The details of data collection methods are usually defined in ministry orders.

C. Law Enforcement and Intelligence Agencies

In Japanese society, government intelligence agencies are weaker as compared with other societies. The leader of the Japanese intelligence community is the Cabinet Intelligence Research Office (CIRO), and the community includes departments and agencies of the National Police Agency, the Ministry of Foreign Affairs, the Public Security Intelligence Agency, and the Ministry of Defence. But none of them holds big powers to access private-sector data. No cases of such agencies systematically accessing private-sector data have been found in the research process of this chapter. There is no question about these agencies collecting data on targets, but such activities are case-by-case and not systematic and regular. The National Police Agency and prefectural police departments all over Japan collect data especially on crime organizations such as cults and “yakuzas (mafias)” for law enforcement purposes. In order to stop money laundering, financial institutions are requested to report “doubtful” transactions to law enforcement agencies based on the Narcotics and Psychotropic Control Law and others, but this report is not mandatory. The government cannot access financial information without proper warrants.

Most cases involve accessing financial records for tax collection based on Article 141 of National Tax Collection Act (See Table 13.2). In other cases the Ministry of Justice is gathering data on persons who enter and exit Japanese borders based on the Emigration and Immigration Management and Refugee Recognition Law. As Japan is an island country, it is necessary to use vessels on the sea or airplanes to cross the border. (p.281)

Table 13.2. Access to Personal Record Files Beyond Original Purposes in Fiscal Year 2014

Administrative Agencies

Independent Administrative Legal Entities and Others

Cases based on Laws

2,698

293

Cases for Public Interests or Cases with First Person’s Consenta

279

232

(a) For example, the Imperial Household Agency discloses records of people who receive medals.

source: http://www.soumu.go.jp/main_content/000413445.pdf.

So far, there are fewer cases of the use of communications interception, or wiretapping, for law enforcement or other purposes.6 The Interception Law for law enforcement purposes was enacted in 1999, and it mandates annual disclosure of the number of interceptions done by police agencies all over Japan (Table 13.3). However, executive wiretapping to prevent future terrorism attacks or crimes is not authorized under the Japanese laws.

The Interception Law does not exclude computer communications. However, as Table 13.2 shows, all of the authorized interceptions in 2011 were mobile calls, because usually criminals prefer prepaid or illegally obtained mobile phones. Interception of Internet traffic is said to be legal under the current laws, but has not been used yet. The National Police Agency is still cautious about using the method. But it will be considered in the future. Of course, stored digital records in computers and other devices are searched with warrants.

The tradition of strict protection of communications secrecy dissuades telecommunications/Internet service providers from stopping apparently harmful traffic. They are allowed to access neither content nor corresponding communications data such as traffic data, service use data, and subscriber data. They only use such data to manage the quality and security of their networks with special reasons.7 (p.282)

Table 13.3. Number of Authorized Communications Interception in Japan in 2013

Case Number

Requests

Authorized

Communication Method

Number of Arrested Persons

1

8

8

Mobile

9

2

6

6

Mobile

4

3

12

12

Mobile

8

4

2

2

Mobile

12

5

4

4

Mobile

0

6

3

3

Mobile

3

7

3

3

Mobile

0

8

5

5

Mobile

3

9

6

6

Mobile

14

10

3

3

Mobile

12

11

7

7

Mobile

14

12

5

5

Mobile

0

source: http://www.moj.go.jp/content/000118702.pdf.

D. Business Laws

In Japan there are various business laws corresponding to each economic (sometimes social) sector, and supervisory authorities in the government can request or mandate reports mainly on financial data from participants in each sector. Most of such reports are on an on-demand basis, but usually businesses and persons submit reports without reluctance. This is an important and useful way for the Japanese government to understand the situation of each industry (Table 13.4).

Table 13.4. Examples of Business Sectors and Business Laws in Japan

Business Sector

Business Law

Supervisory Authority

Telecommunications

Telecommunications Business Act

Ministry of Internal Affairs and Communications

Banking

Banking Act

Financial Services Agency

Electric Power

Electricity Business Act

Ministry of Economy, Trade and Industry

Railways

Railway Business Act

Ministry of Land, Infrastructure, Transport and Tourism (p.286) (p.285)

IV. Recent Controversies and/or Pending Unresolved Issues concerning Systematic Government Access to Private-Sector Data

As cloud services on the Internet are becoming popular, the problem of data jurisdiction is being discussed here and there. If we put data in the United States, the US government could access the data under the USA FREEDOM Act and other laws. If we put data in the EU area, the EU Data Protection Directive would influence the data. Or, we might not be able to retrieve the data once we sent it to the EU if the EU or a Member State prohibits data transfer for any reason.8 Furthermore, it is said that data stored in servers in China might be accessed without legal reason. Therefore, it is not the governmental access to private-sector data that matters in Japan, but the way the government uses such services.

On the other hand, there is no statue in Japan to regulate data transfer overseas. However, there are semiformal guidelines clarifying the details of handling data, which prohibits international data transfer. Article 25 of the Foreign Exchange and Foreign Trade Law does not authorize international data transfer in some cases.9

However, this debate was drastically changed after the Great East Japan Earthquake and tsunami of March 11, 2011. The City of Takada in Iwate Prefecture (p.283) and three other cities and towns lost critical servers containing the basic data of their residents. The local governments could not issue certificates and other official documents. Following this, it is now being discussed whether or not critical data and information should be kept on-site. Data should be stored in remote sites in multiple locations. Cloud services can be insurance against such risks.

Japan maintains a domiciliary register system. Every citizen must be registered with the local government following birth. Family trees are also kept in government servers. The system used to be paper-based, but it was digitized and networked in 2000. Servers of local governments in Japan were interconnected to exchange traffic. This change raised a lot of privacy concerns, and several local governments refused to connect to the system.

However, in a networked society, it is critical to have digital data and a unique personal ID. Japanese residents have several unique IDs, for the domiciliary register system, for the tax ID system, for the pension system, the health insurance system, the driver’s license system, and others. More and more people want one-stop service with one ID. A national ID system is now on the political agenda.

In October 2015 “My Number” system started and all residents (citizens and foreigners living in Japan) started to be given their own 12-digit numbers (artificial persons get 13-digit numbers). This new system is for (1) realization of fair society, (2) effective government, and (3) advancement of people’s convenience. These numbers are used for social security services, tax collection, and disaster countermeasures. They are similar to Social Security Numbers in the United States, but they should not be shared for other services in private sectors. There are growing concerns about data breach, but the government claims this system will make related systems more transparent and efficient.

Related to the “My Number” system, the Personal Information Protection Commission (PPC) was established on January 1, 2016, by reorganizing the Specific Personal Information Protection Commission. The PPC is an independent body from government structures, and supervises private and government entities, which deal with personal information.10

V. Concluding Observations

In general, there have been no serious problems reported regarding systematic access to private-sector data by the Japanese government so far. This does not mean that there is actually no problem. Real problems might be just hidden from the public eye.

At any rate, the present political atmosphere does not allow such systematic access. And the impact of the Personal Information Protection Law in 2003 has suppressant effects over data gathering by government and business actors.

On-demand reports from the private sector to the government are a more common practice in Japan. This is not systematic and regular access, but works well between the business sector and the Japanese government.

Ministry/Agency

Number of Record Systems Containing Personal Information

Breakdown

Breakdown according to Number of Records

Less than 10,000

More than 10,000 and less than 100,000

More than 100,000 and less than 1 million

More than 1 million

Computer

Manual

Computer

Manual

Computer

Manual

Computer

Manual

Computer

Manual

National Tax Agency

57,807

51,893

5,914

29,962

25,219

4,743

20,815

19,775

1,040

6,955

6,824

131

75

75

0

Ministry of Justice

4,569

1,678

2,891

3,857

1,105

2,752

264

126

138

368

367

1

80

80

0

Ministry of Agriculture, Forestry and Fisheries

527

524

3

416

415

1

97

95

2

12

12

0

2

2

0

Ministry of Health, Labour and Welfare

404

219

185

277

114

163

56

42

14

25

20

5

46

43

3

Ministry of Internal Affairs and Communications

268

268

0

175

175

0

49

49

0

43

43

0

1

1

0

Ministry of Finance

265

265

0

149

149

0

71

71

0

30

30

0

15

15

0

Ministry of Defence

184

111

73

79

51

28

90

48

42

15

12

3

0

0

0

Financial Services Agency

21

12

8

10

3

7

10

8

2

1

1

0

0

0

0

Imperial Household Agency

119

2

117

96

2

94

23

0

23

0

0

0

0

0

0

Ministry of Land, Infrastructure, Transport and Tourism

101

88

13

34

32

2

35

27

8

22

19

3

10

10

0

Others

367

247

121

210

130

80

116

82

34

29

24

5

12

11

1

Total

64,632

55,307

9,325

35,265

27,395

7,870

21,626

20,323

1,303

7,500

7,352

148

241

237

4

source: http://www.soumu.go.jp/main_content/000413319.pdf.

Notes:

(1.) Taro Komukai, Introduction to Information Law (Joho Ho Nyumon) (Tokyo: NTT Publishing, 2008), p. 82 (in Japanese).

(2.) Hisamichi Okamura and Fumio Shimpo, Electronic Networks and Personal Information Protection (Denshi Network to Kojin Joho Hogo) (Tokyo: Keizai Sangyo Chosakai, 2002), p. 79 (in Japanese).

(3.) Komukai, above note 1, pp. 83–84.

(4.) Okamura and Shimpo, above note 2, p. 194.

(6.) Fumio Shimpo, Birth and Development of Rights of Privacy (Privacy no Kenri no Seisei to Tenkai) (Tokyo: Seibundo, 2000), pp. 250–278 (in Japanese).

(7.) Ikuo Takahashi, Koichiro Hayashi, Makoto Funahashi, and Kazuo Yoshida, “Strange Destiny of Secrecy of Communications (Statutory Law),” Joho Network Law Review, vol. 8 (2009), pp. 1–26 (in Japanese).

(8.) Hiroshi Kondo and Kei Matsumoto, Cloud and Law (Cloud to Hou) (Tokyo: Kinyu Zaisei Jijo Kenkyukai, 2011), pp. 117–22 (in Japanese).

(9.) Kazuaki Yoshii, “Legal Risks in Cloud Service,” Joho Network Law Review, vol. 10 (2011), pp. 159–74, footnote 47 (in Japanese).