Yohko Orito, Kiyoshi Murata
As we move on into the twenty-first century, it has become clearer that development and deployment of information and communication technology (ICT) is likely to threaten information privacy of individuals as data subjects. In developed countries, the importance of information privacy is acknowledged and laws and regulations to protect it have been enforced. On the other hand, it is often alleged that the concept of privacy is subjectively understood and interpreted in a specific context, i.e., privacy is a subjective, time-serving concept. In other words, understanding and interpretation of the concept of privacy correlates with the socio-cultural background including the circumstances of development and spread of ICT and enactment of the legislation. These characteristics of privacy are reflected in people’s behaviour related to protection of information privacy.
In Japan, the laws which cover the public sector were enforced in 1988 whereas personal data protection within the private sector was remained to be entrusted by self-regulation. However, due to external pressure put by the international community such as Directive 95/46/EC on the processing of personal data, the Act for protection of personal data which covered both the public and private sectors was enforced in April 2005.This act regulates individuals and organisations that collect and store personal data and obligate them to undertake measures to ensure the proper handling of personal data. The introduction of the Act raised the public sector’s and corporate awareness of necessity to address personal data protection and the spread of knowledge of the enforcement of the Act among society in general, mainly because the Act entailed penalty clauses.
This has led to mixed results; one area has been excessive response to the Act. This was highlighted in the JR FUKUCHIYAMA Train Disaster in April 2005, where in order to abide by the Act the hospitals, in which the casualties were taken, would not disclose information on names and condition of them. Consequently, relatives of the casualties were at a loss how to acquire vital information of them. This case suggests that over-zealous adherence to the Act resulted in losing sight of the original objectives of it; the Act presumes the usefulness of personal data and intends to promote personal data use harmonised with protection.
In addition, many cases in which people tried to apply the Act in such a rigid way that anomalies and muddles were brought about were reported. For example, after the enforcement of the Act, making lists such as community membership lists and student lists is often discouraged, because some of habitants, the students and the parents of them refused provision of personal data. They assumed that they had the right to do this arbitrarily based on the Act. There were even some people who rejected to fill out the census form on the authority of the Act, although it was not applied to the census. Moreover, in order to comply with the Act, several local governments refused to reply the enquiries of defendants from lawyers engaged in the preparation of the lawsuits.
The efforts of personal data protection made by Japanese firms seem to be based on “cold feet-based” compliance; they hesitate to do anything which is questionable whether legal or not in terms of the Act. Indeed, from 1 April 2005, the day of the enforcement of the Act, to date, there has been no firm prosecuted due to violation of the Act. The firms appear to struggle to avoid damage on their reputation suffered by being defendants of the first case of violation of the Act.
In order to get out of the messy situations surrounding protection of personal data and information privacy in Japan, reconsideration of the concept of information privacy responding to the modern information society is necessary. This challenge requires answering the following questions:
(a) Who owns personal data which are collected, stored and used by some organisation?
(b) Is it acceptable to reconsider the concept of information privacy based on a certain socio-cultural context?
The concept of information privacy insists that an individual has the right to control the circulation of his/her own data. However, if a significant number of people try to execute this right and, for example, call on organisations to let the people know whether their personal data are held by the organisations and, if that is the case, whether the data are correct, ordinal activities of the organisations would be disabled and quality of the services provided by the organisations would deteriorate. This suggest that in the modern information society where many organisations collect and use personal data in order to provide their services effectively and efficiently, the concept of information privacy may not respond to the reality. This seems to mean that a certain part of the right to information privacy should be alienated to organisations which use personal data for their business and they have to fulfil their fiduciary responsibility with respect to protection of personal data.