2003 JAPAN LAW

PRIVACY PROTECTION
KEYWORDS: DATA, BANKS, YAHOO

Japan has been hit by a raft of scandals involving the loss of personal data. Both Japanese as well as foreign firms operating in Japan have been hit. Whether it was Citibank which lost credit card information on some of its Japanese customers due to a mess-up in Singapore, or an affiliate of Yahoo Japan which saw data on millions of its members stolen and the company blackmailed for billions of yen. Alarmed at these problems the Japanese government took measures to try to prevent such problems as well as cracking down criminally on particularly egregious cases.

In April 2005 a new law to protect personal information will go into effect. The law requires a new regulatory infrastructure for the appropriate protection of personal information by businesses and the government. Each ministry will be required to come out with guidelines to cover the industries over which they have jurisdiction.

Part of this effort involves increased efforts on controlling company employees, which are often at the core of the problem. The Ministry of Public Management, Home Affairs, Posts and Telecommunications wants telecommunications companies to conclude secrecy agreements with company employees. Matters to be covered include not only the obvious such as names, addresses, birth dates, and sex, but also voices and images which can be used to identify. The Telecommunications Business Law already calls for the protection of information. This effort is supplemental to the new personal information protection law. There is concern that while outsiders can be punished for breaking into a network, there are no penalties for activities by employees. Even the new law results in only the prosecution of those in charge of protecting information, but not ordinary employees. Thus the ministry is considering further amendments to existing laws or even new laws altogether.

The Financial Services Agency will create new guidelines suspending the operations of financial institutions when they leak personal information. Particular emphasis will be given to personal information such as fingerprints, political beliefs, medical history, criminal records and ethnicity/nationality. Basically the goal is for financial institutions to be banned from collecting such information. Punishment would be meted out even if their procedures are merely regarded as sloppy by the agency, increasing the risk of leaks, even without an actual leak. The FSA wants employees to sign secrecy agreements and arrangements made limiting employee access to client personal data. In order to achieve such goals the agency may consider seeking amendments to the securities, banking and insurance laws. The Federation of Credit Bureaus of Japan has complained that illegal credit information brokers have been trying to buy such information and then sell it.

The Ministry of Economy, Trade and Industry also came out with its guidelines for the new 2005 law. The guidelines will apply to manufacturers, information processing companies, consumer credit firms, wholesalers and retailers which utilize personal data on 5000 people or more. Data to be protected include names, physical address, telephone numbers, email addresses, financial data, employment related info and physical data. Multimedia data such as sounds and images are included, such as video from surveillance cameras. When collecting data the individual will have to be notified of such intent and the use of the data, particularly if it will be sold to 3rd parties. When provided to other companies, even group companies, the individual’s consent should be received. Strict controls on employees handling the data should be applied, even secrecy clauses in their employment contracts. Oversight managers should be assigned and strict controls also applied to part-time workers, temp staff and outsource firms. Access to personal data is to be tightly restricted and not used for purposes other than those originally authorized. Outsource companies must be strictly monitored.

On top of this, the Ministry of Economy, Trade and Industry called for a revision of the Penal Code to cover the theft of personal information by imposing the same penalties as the theft of tangible property. One of the aims again, is to hit employees working at subcontractors or temp workers who transfer such information without approval. The 2005 law for the protection does not apply to activities by individuals, only businesses and government. These new criminal provisions would apply to individuals.

As there is concern over the abuse of private genetic information and as the new 2005 law would not apply to research institutes, the Ministry of Education, Culture, Sports, Science and Technology, the Ministry of Economy, Trade and Industry, and the Ministry of Health, Labor and Welfare have agreed to establish a study group made up of experts with the mission of studying a possible new law to cover such problems. Particular concern is over anonymity, third party access and informed consent.

The biggest scandal, involving Yahoo BB, a broadband internet service firm, had been blackmailed for billions of yen when information on 4.6 million employees was stolen. A temporary employee of the company gave two hackers ID numbers and passwords. The hackers broke into the databank and stole the data. Softbank was then blackmailed, with demands for 2 billion yen. The demands were made by a former executive of Softbank BB. In the end however, although he was prosecuted, the judge gave him only a suspended sentence. Yahoo BB gave its customers 500 yen compensation each, costing it over 4 billion yen when everything was considered. Yahoo has 1500 temporary workers, compared to 2000 permanent employees.

In fact, 3 customers did file suit against Yahoo BB about the leak seeking 100,000 yen damages. The case was filed at the Osaka District Court.

In another case involving invasion of privacy, but not telecom or databases, in March, 2004 the Tokyo High Court ordered Waseda University to pay 15,000 yen to three plaintiffs. The university gave the police a list of people who attended a 1998 lecture by Chinese President Jiang Zemin. The list had the names of 1400 students who attended.

Fight International Criminal Court & NeoEuropean Imperialism!

DISCLAIMER JapanLaw.info is intended purely for introductory, educational purposes. If you plan a transaction in Japan, consult with a licensed Japanese attorney. THIS PUBLICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. THIS PUBLICATION COULD INCLUDE INACCURACIES OR ERRORS IN TYPOGRAPHY OR TRANSLATION .