OECD Privacy Guidelines and Japan 1 Japan is one of the member countries that have been significantly affected by the 1980 OECD privacy guidelines. Japan showed a great deal of interest in the early stages of the formation of basic guidelines regarding the international circulation of personal data and privacy protection. In 1978, the OECD, led by Justice Michael Kirby of Australia (today's 1st session keynote speaker), formed the ad hoc "Expert Group on Transborder Data Barriers and Privacy Protection". In November 1979, then-OECD ICCP Division head, Hans Peter Gassmann (panelist in today's 1st session), was invited to a symposium in Tokyo. Local governments worked quickly to adopt their own personal data protection regulations. The earliest of such regulations in Japan were "regulations concerning personal data protection management on computers", introduced in Tokushima City on June 28, 1973. These were followed by the privacy protection regulations adopted by Kunitachi City of the Tokyo Metropolitan area in 1975. After the OECD privacy guidelines were introduced in 1980, they became the model for regulations in Japan. Local governments were pressed to establish their own regulations, and although some national governments had yet to set regulations for personal data protection, by April 2006 all local governments in Japan had introduced such regulations. In 1980, there were more than 3000 local bodies throughout Japan. Due to the merging of municipalities, that number has dropped to about 1800. As a municipal law, each of the 1800 local governments has an ordinance on the protection of personal information. This demonstrates the consideration given to the OECD privacy guidelines in Japan when establishing our own personal data protection regulations. 2 After adopting the "Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data" on September 23, 1980, the Administrative Management Agency set up a "Privacy Protection Research Group" to investigate domestic legislation of the OECD Guidelines. In July 1982, this research group compiled a report entitled "Personal Data Management and Privacy Protection Measures", which proposed legislation on the grounds that new laws based on the basic principles of privacy protection were necessary. This was to be the foundation of the OECD privacy guidelines. With reference to European data protection laws, we considered an omnibus formula of personal data protection laws, but the Management and Coordination Agency subsequently examined and legislated the retaining of personal data within administrative agencies. This led to the establishment of the "law relating to the protection of personal data stored on administrative agency -1- computers" in 1988. After adopting the recommendation, legislation relating to the private sector was discussed, but no laws were enacted, so protection measures based on the guidelines were introduced. Personal data protection guidelines in the financial sector were put in place in 1987 by foundations under the jurisdiction of the Ministry of Finance., Under the jurisdiction of the Ministry of International Trade and Industry (MITI), the private sector adopted these guidelines in 1989, followed by the telecommunications industry in 1991, also under the watch of MITI, as well as the Ministry of Posts and Telecommunications. All of these guidelines were based on the OECD privacy guidelines 3 The Japanese Government has been engaged in personal data protection laws in the private sector on a national level since July 1999, when a personal data protection investigation unit was set up in the high-tech telecommunications society promotion department which resulted in a personal data protection law finally being enacted in May 2003. At the same time, an administrative agency personal data protection law and independent administrative corporation personal data protection law took effect. This new administrative agency personal data protection law represented a complete overhaul of the 1998 law for the protection of personal data stored on administrative agency computers. 4 All of these personal data protection laws have been shaped around the main points of the OECD privacy guidelines. Using the personal data protection laws applicable to the private sector as an example, I would like to refer to the "8 OECD principles and Japanese personal data protection laws", and present the specific regulations that correspond to the 8 privacy guideline principles. 5 A second generation of legislative efforts considered the protection of personal data as a separate, fundamental right, distinct from the right to privacy. Japan's legislative structure is based on three main laws relating to the protection of personal information, enacted on May 30, 2003, plus two supplementary legislation and administrative documents. The Personal Information Protection Act is the key legislation, setting out basic principles and applicable to both the public and private sectors. Japan does not have sufficient national data protection authority to meet the accreditation standards of the International Conference of Data Protection Commissioners. The minister in charge of each ministry has the authority to enforce the Act on the Protection of Personal Information, which -2- ensures the proper handling and protection of personal information. For this reason, guidelines for each business field have been established under the Act by the relevant ministries and agencies for each domain. The basis for the formulation and review of the guidelines by the government ministries is shown on the slide. 38 guidelines set by each Ministry have been established in 24 fields, encompassing fairly specific industry sub-sectors. As well as this, emerging issues in each field, such as behavioral targeting marketing and cloud computing, are examined on a daily basis. 6 Guidelines for voluntary controls began to be formulated in the late 1980’s. At present, guidelines issued by administrative organisations include both these guidelines and the JIS (Japan Industry Standards). In addition, a certification system called the PrivacyMark System is currently being established in the private sector. In order to be accredited by the PrivacyMark System, a third-party organization must objectively evaluate the compliance of private enterprises with all relevant laws and regulations, including JIS Q 15001. We have found this to be an effective tool that allows private enterprises to demonstrate their compliance with the law and that they have voluntarily established a personal information protection management system with a high level of protection. Currently, around 10,000 Japanese companies have been accredited by the PrivacyMark System. 7 In conclusion, it can be said that few countries in the world have applied the basic ideology of the OECD privacy guidelines for privacy and personal data protection in the same way as Japan, not only in the public sector such as national and local governments, but also in the private sector. In constructing the basic legal framework for personal data protection, Japan has placed the utmost importance on representing the basic ideologies of the OECD guidelines. -3-