OECD Privacy Guidelines and Japan
１
Japan is one of the member countries that have been significantly affected by the 1980 OECD
privacy guidelines. Japan showed a great deal of interest in the early stages of the formation of basic
guidelines regarding the international circulation of personal data and privacy protection. In 1978,
the OECD, led by Justice Michael Kirby of Australia (today's 1st session keynote speaker), formed
the ad hoc "Expert Group on Transborder Data Barriers and Privacy Protection". In November
1979, then-OECD ICCP Division head, Hans Peter Gassmann (panelist in today's 1st session), was
invited to a symposium in Tokyo.
Local governments worked quickly to adopt their own personal data protection regulations. The
earliest of such regulations in Japan were "regulations concerning personal data protection
management on computers", introduced in Tokushima City on June 28, 1973. These were followed
by the privacy protection regulations adopted by Kunitachi City of the Tokyo Metropolitan area in
1975. After the OECD privacy guidelines were introduced in 1980, they became the model for
regulations in Japan. Local governments were pressed to establish their own regulations, and
although some national governments had yet to set regulations for personal data protection, by April
2006 all local governments in Japan had introduced such regulations.
In 1980, there were more than 3000 local bodies throughout Japan. Due to the merging of
municipalities, that number has dropped to about 1800. As a municipal law, each of the 1800 local
governments has an ordinance on the protection of personal information. This demonstrates the
consideration given to the OECD privacy guidelines in Japan when establishing our own personal
data protection regulations.
２
After adopting the "Recommendation of the Council Concerning Guidelines Governing the
Protection of Privacy and Transborder Flows of Personal Data" on September 23, 1980, the
Administrative Management Agency set up a "Privacy Protection Research Group" to investigate
domestic legislation of the OECD Guidelines. In July 1982, this research group compiled a report
entitled "Personal Data Management and Privacy Protection Measures", which proposed legislation
on the grounds that new laws based on the basic principles of privacy protection were necessary.
This was to be the foundation of the OECD privacy guidelines.
With reference to European data protection laws, we considered an omnibus formula of personal
data protection laws, but the Management and Coordination Agency subsequently examined and
legislated the retaining of personal data within administrative agencies. This led to the
establishment of the "law relating to the protection of personal data stored on administrative agency
-1-
computers" in 1988.
After adopting the recommendation, legislation relating to the private sector was discussed, but no
laws were enacted, so protection measures based on the guidelines were introduced. Personal data
protection guidelines in the financial sector were put in place in 1987 by foundations under the
jurisdiction of the Ministry of Finance., Under the jurisdiction of the Ministry of International Trade
and Industry (MITI), the private sector adopted these guidelines in 1989, followed by the
telecommunications industry in 1991, also under the watch of MITI, as well as the Ministry of Posts
and Telecommunications. All of these guidelines were based on the OECD privacy guidelines
３
The Japanese Government has been engaged in personal data protection laws in the private sector on
a national level since July 1999, when a personal data protection investigation unit was set up in the
high-tech telecommunications society promotion department which resulted in a personal data
protection law finally being enacted in May 2003. At the same time, an administrative agency
personal data protection law and independent administrative corporation personal data protection
law took effect. This new administrative agency personal data protection law represented a
complete overhaul of the 1998 law for the protection of personal data stored on administrative
agency computers.
４
All of these personal data protection laws have been shaped around the main points of the OECD
privacy guidelines. Using the personal data protection laws applicable to the private sector as an
example, I would like to refer to the "8 OECD principles and Japanese personal data protection
laws", and present the specific regulations that correspond to the 8 privacy guideline principles.
５
A second generation of legislative efforts considered the protection of personal data as a separate,
fundamental right, distinct from the right to privacy. Japan's legislative structure is based on three
main laws relating to the protection of personal information, enacted on May 30, 2003, plus two
supplementary legislation and administrative documents. The Personal Information Protection Act
is the key legislation, setting out basic principles and applicable to both the public and private
sectors.
Japan does not have sufficient national data protection authority to meet the accreditation standards
of the International Conference of Data Protection Commissioners. The minister in charge of each
ministry has the authority to enforce the Act on the Protection of Personal Information, which
-2-
ensures the proper handling and protection of personal information. For this reason, guidelines for
each business field have been established under the Act by the relevant ministries and agencies for
each domain. The basis for the formulation and review of the guidelines by the government
ministries is shown on the slide. 38 guidelines set by each Ministry have been established in 24
fields, encompassing fairly specific industry sub-sectors.
As well as this, emerging issues in each field, such as behavioral targeting marketing and cloud
computing, are examined on a daily basis.
６
Guidelines for voluntary controls began to be formulated in the late 1980’s. At present, guidelines
issued by administrative organisations include both these guidelines and the JIS (Japan Industry
Standards). In addition, a certification system called the PrivacyMark System is currently being
established in the private sector.
In order to be accredited by the PrivacyMark System, a third-party organization must objectively
evaluate the compliance of private enterprises with all relevant laws and regulations, including JIS
Q 15001. We have found this to be an effective tool that allows private enterprises to demonstrate
their compliance with the law and that they have voluntarily established a personal information
protection management system with a high level of protection.
Currently, around 10,000 Japanese companies have been accredited by the PrivacyMark System.
７
In conclusion, it can be said that few countries in the world have applied the basic ideology of the
OECD privacy guidelines for privacy and personal data protection in the same way as Japan, not
only in the public sector such as national and local governments, but also in the private sector. In
constructing the basic legal framework for personal data protection, Japan has placed the utmost
importance on representing the basic ideologies of the OECD guidelines.
-3-