A bill to protect personal information will be one of the most contentious issues in the upcoming extraordinary session scheduled to convene in mid-October, but it is widely perceived that the bill will have only a remote chance of being enacted in the session. Since its submission to the regular Diet session last year, the bill has been aborted three times and now it is almost certain to be delayed for a third year. The stalemate stems from a wrong-footed start, whereby the government took misguided steps at the outset.
When the Basic Resident Register Act was revised in 1999, the media called for regulations to protect privacy and the government - in an attempt to dodge criticism that the revised law is tantamount to a universal identity numbering system - began to take legislative steps to protect personal information. Once the personal protection bill was drawn up, however, media organizations denounced it as the government's attempt to control the media. Thus, the government excluded major media organizations, namely, broadcasters, newspapers, wire services and other news media. But this prompted a backlash from publishers and freelance journalists, sending the whole issue into the quagmire.
The target of the proposed personal information protection legislation is databases, not the media. As far as I know, no media organs have ever been prosecuted in the world under this kind of law. But it is the media that have been making much noise, while the computer industry strangely remains silent. This is despite the prospect of most websites (homepages on the Internet) becoming "illegal" should this bill get enacted into law.
Most corporate homepages will likely be subjected to regulations
When the concept of privacy first came into being in the end of the 19th century, it was to protect prominent figures from scandal coverage. But today's privacy issue is different and concerns personal data on computers. The mixing up of these two concepts is responsible for the ongoing confusion.
With the development of computer networks, in the 1970s personal credit information began to circulate without the knowledge of the concerned individual. In response, in 1980, the Organisation for Economic Co-operation and Development set forth guidelines for the protection of personal information. Of the eight principles constituting the guidelines, the most important one is the collection limitation principle that says, "There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject."The European Union Directive on Personal Data Privacy, established in line with the OECD guidelines, took effect in 1995, urging each EU member state to enact relevant domestic legislation. However, from around this time, the Internet began to spread rapidly. The EU principles, which stand on the premise of closed networks among mainframe computers, would make illegal almost all activities in the open world of the Internet if they were to be strictly applied.
For instance, in Sweden, a country that rigidly follows the EU principles, an animal rights group carrying a list of furriers on its homepage and a consumer group criticizing a bank executive on its homepage were subjected to administrative punishments. Multinationals are now closing their websites in Sweden.
The United States has taken a different approach, putting greater priority on the freedom of expression. Instead of implementing such comprehensive restrictions as in Europe, the U.S. opted to set forth sector-by-sector regulations, leaving judgment of their violation in the hands of the judicial authorities. This is probably due to the wisdom of Anglo-American laws in which laws are effectively modified, through an accumulation of judicial precedents, to meet the changing needs of time.
The EU directive, however, prohibits the transfer of personal data to a country that does not comply with the EU principles, to which the U.S. government reacted harshly. Subsequent negotiations between the two sides settled with an agreement to develop a "Safe Harbor" framework that provides a special streamlined means for U.S. organizations to comply with the EU directive. In reality, however, less than 250 U.S. companies have joined the Safe Harbor and the remaining vast majority of companies are engaged in electronic commerce transactions - which are "illegal" based on the EU standards - with European companies.
In Japan, even the presence of these problems has yet to be recognized. Opposition parties are demanding that the personal information protection bill be scrapped, while insisting that the Basic Residential Register Network System (Juki Net) should not be launched until a personal information protection law is enacted. They remain as they always have as voices of opposition for the sake of opposition.
Creating a stir in such stagnation, is the Yomiuri Shimbun, a major daily newspaper, which has put forward a set of modification proposals. Expected modification proposals from New Komeito will likely fall in line with those presented by the Yomiuri. The Yomiuri's stance - calling for the early enactment of a personal information protection law, regardless of any restrictions that would be imposed on other industries, as long as the immunity to the news media is secured - is symbolic of the major media organs' arrogant perception that they are always privileged enough to deserve special treatment, just as they are provided with a press club in each government ministry.
Japan's proposed legislation to protect personal information is based on the OECD guidelines, but it is neither calling for regulations as comprehensive as those in Europe nor leaving the judgment on respective cases in the hands of the judicial authorities as in the U.S. Simply put, Japan's approach is a two-step process, setting out the basic principles for personal information protection in the first stage, then, imposing specific legal obligations on respective industries and subjecting violators to penalties. The media have been excluded from obligations thus there is hardly further reason for them to continue making a fuss. The Internet however, would be inevitably made subject to the regulations.
Cabinet Councilor Akio Fujii, who drew up the bill, said, "Websites handling personal information of a designated number of people or more would be subjected to regulation whether they are run by profit-seeking operators or nonprofit organizations." As the designated number is likely to be 5,000, most corporate websites would be subjected to the Article 21 of the proposed law that prohibits the handling of personal information without the consent of the concerned individuals.
If any problem occurs on a certain website, the government would be able to order the closure of that specific site. Search engine operators would find it extremely difficult to continue operations should a certain individual demand them to eliminate all the personal information about him- or herself. Electronic bulletin boards such as "Nichanneru (2ch)," which abound in troubles, would face a high risk of forced closure.
"Freedom of expression" in Internet age
Now that it is highly likely that the bill in question will be aborted in the upcoming Diet session, it is not too late to rethink the whole issue fundamentally. Information about me is neither mine nor should I be the owner of such information. Rights to control information about self are tantamount to privately censoring personal information and this should not be allowed in a democratic society. Because there is little incentive for producing personal information, strong protection of rights, such as copyrights protection, would not be necessary. Any disputes that may arise should be addressed in an ex-post manner.
The problem is not the leakage of personal information itself, but the malicious use (or misuse) of leaked personal information, such as having names misplaced on a black list or receiving invitations of questionable origin. But actual damages incurred in such cases would be limited and it would not be necessary to implement comprehensive regulations. The government should shift to a stance of keeping the circulation of personal information free in principle and take measures to prevent the malicious use of such information.
Specifically, the government should set a minimum scope for information that needs to be strictly protected, providing a positive list of protected information that includes family registration, credit information, and clinical history. As to the other information, the government should not implement any ex ante restrictions. Instead, it should establish a system to provide remedies for damage inflicted by the malicious use of information. For this, the role of a dispute settlement organ becomes very important. The conventional court procedures are time-consuming and costly, while self-regulating organs set up by respective industries are barely functioning. Even the establishment of a personal information protection body, which would be established under the proposed personal information protection legislation, would be problematic with regard to its neutrality of and independence from the administrative authorities.
An alternative dispute resolution (ADR) system specialized in personal information protection, which is operated by a nonprofit and neutral organization, should be created. In this case, it might be necessary to oblige certain website operators to keep a log of access information so that an offender in an anonymous online message board can be specified.
In the age of the Internet, freedom of expression is not a problem solely for the media. It is suspected that the revised Basic Resident Register Act that prohibits the use of resident register code numbers is in violation of the Constitution. In computer networks, the freedom of collecting and using information should be guaranteed to the maximum extent possible. Legislation on personal information protection must be fully reworked from the perspective of ensuring freedom on the Internet.
*reprinted from DIAMOND Magazine (October 19, 2002)
