|
You’ve just been engaged to conduct a large research project for a major bank. Recruitment is proving difficult but your generous client steps in and offers you access to their large customer database. Great! Wish all clients were that accommodating! But wait, this is Japan and the moment that customer data changes hands, the recently enacted privacy laws have been violated.
 |
 |
Much has been written about the new laws and you may be finding your Japan-based partners, vendors, subsidiaries and colleagues just a little jittery on the subject. What exactly do they fear? In short, it’s the fear of the unknown… Read on and find out the implications of the Personal Information Protection Law of Japan and what it may mean for your business. |
| |
|
Here’s what we know for sure…
The law was first enacted in May 2003 but will not be in force until April 2005. In the intervening period, government departments and representatives of business groups were to engage in dialogue to see how to apply the law in each business sector. So, for instance, the Ministry of Internal Affairs and Communications has drafted guidelines relating to protection of personal information in the telecommunications and broadcasting fields. The Ministry of Health, Labor and Welfare has focused on employment data, clinical research data and healthcare. And so on. Notable though is that these are at best guidelines and leave much to the imagination in terms of how they will be applied.
First, some key definitions…
Personal Information refers to any information that can ‘identify an individual’, a rather broad definition.
Personal Information Databases refer to computerized or other databases from which data can be easily retrieved. Would that include a Rolodex?
Businesses Handling Personal Information include all entities handling personal information databases for business operations, provided those databases have MORE THAN 5,000 records.
Third Parties are broadly defined as affiliates, UNLESS the affiliate is only engaged for data processing or where the database has been acquired due to a merger or acquisition of another entity. Another broad definition.
OK, what does the law provide?
Well, in short, here are some things a Business Handling Personal Information needs to do:
1. Specify the intended use of Personal Information
This should be expressed directly to the Principal or by public announcement. If the purpose of use changes, fresh notice must be given AND consent obtained.
2. Limit the use of Personal Information to that necessary to achieve the stated purpose
For example, if a panel of respondents has been recruited for a particular survey, mining their data for direct marketing purposes is clearly not permitted.
3. Acquire the information fairly
As opposed to unfairly. ‘Tricking’ an individual into parting with their data is not allowed.
4. Maintain accurate data
You would think this is in everyone’s interests.
5. Adopt security control measures
The guidelines require that a security administrator be appointed to develop procedures to present unauthorized external access.
6. Properly supervise employees and delegates handling personal information
The same standards apply to vendors in outsourcing arrangements. |
|
 |
| |
|
7. Permit access and correction
This is a scary one. In theory, any database member can contact a business to gain access to their data. And the guidelines require the business to respond promptly. The individual can require corrections to be made and the business should advise the principal once the correction is made. An administrative challenge!
8. Create a complaint handling system
Personal Information Protection Organizations will be established to respond to individual complaints.
|
|
9. Regarding sharing of data, someone in possession of Personal Information who wishes to share the data with third parties must
|
(1) provide prior notice to an individual and |
| |
(2) obtain consent to share information |
|
| |
|
UNLESS the sharing was included in a previous notice and included in the stated purpose of use.
So, in the example above, the bank would need to advise each customer of their intention to conduct research AND obtain each individual’s consent. In fact, the bank would need to disclose:
|
- the fact that the personal data is to be jointly used |
| |
- the items of personal data to be jointly used |
| |
- the parties who are to jointly use the data |
| |
- the purpose of the use of the personal data |
| |
- the parties responsible for the management of that personal data |
10. Upon request by a principal, a business must cease to use or delete personal data.
This raises another administrative challenge.
And if you don’t comply?
Much of Japanese law enforcement is left to bureaucrats who have wide discretion to admonish an offender. There is the possibility of imprisonment (not to exceed six months) or a fine (not to exceed Yen 300,000). An aggrieved party may seek relief under the civil law (contract or tort). Perhaps the worst of this would be the negative publicity associated with a widely-publicized violation (or even alleged violation).
|
|
 |
| |
|
The exact implications for the market research industry are not so clear but you can expect all or some of the following to occur:
|
- List brokers will be more careful to obtain the prior consent of list members. |
| |
- Companies with large customer databases will restrict use to the purposes for which they have obtained prior consent. |
| |
- Firms will probably upgrade their internal processes to avoid data leaks. |
| |
- There will be some investment in technology to improve physical security. |
| |
- Attorneys will be engaged to draft confidentiality agreements with employees and vendors. |
| |
- Consultants will be engaged to draft Privacy Policies and advise on other issues. |
| |
- Companies will scrutinize their affiliates more closely to ensure they too are compliant. |
And with these basic procedures in place, companies will watch nervously to see how the laws are interpreted in specific situations. It is not unlikely that the first offender after April 2005 will be severely punished as an example to others.
Conclusion:
In 1995, Japan introduced the much-publicized Product Liability Law, which had even the largest companies rushing to take out insurance in anticipation of the avalanche of litigation they may face from disgruntled consumers. But the impact was relatively benign. 2005 will reveal whether the Privacy laws follow suit!!
For a very detailed and up to date overview on all matters related to privacy in Japan, see:
http://www.privacyexchange.org/japan/japanindex.html
For a viewpoint expressed by the American Chamber of Commerce, Japan on the utilization of public comment in formulating privacy guidelines, see:
http://www.accj.or.jp/document_library/1072053987.pdf
For the official website of the Ministry of Economy, Trade and Industry:
http://www.meti.go.jp/english/
For the official website of the Ministry of Internal Affairs and Communications:
http://www.soumu.go.jp/english/index.html |
