Front Line Research at MEIJI

Hidetomo Sasaki

Utilization of big data and personal information protection 
-Need for the formulation of policies on personal information protection that suit the Japanese society -

Drawing-up a set of clear-cut rules is essential

I think the full-scale utilization of big data should be permitted because it affords companies greater opportunities. However, it comes with the significant risks associated with handling personal information and privacy. Dealing with this issue requires the correct technology. But it also requires the setting of clear legal rules.

Privacy regarding information that does not identify any individual is not subject to the Act on the Protection of Personal Information. However, in order to handle ever-increasing amounts of diverse data made available through advances in technology, Japan’s existing legal systems and public discussion for more proper protection have not been sufficient. A new framework besides personal information protection laws based on civil and criminal laws is required. The national government has just set up an advisory committee in an attempt to improve the legal systems.

The right to privacy came to be acknowledged during the period from around 1960

“The handling of privacy should be reviewed even if it is used for purposes in the public interest such as disaster prevention,” says Professor Sasaki.

Privacy was acknowledged for the first time in Japan in 1961 when a lawsuit was filed for invasion of privacy against the novelist, Yukio Mishima, for alleged incidents disclosed in his novel, “After the Banquet.” Since then, whenever a celebrity’s private life is revealed in a weekly photo magazine, a debate over the pros and cons of privacy surfaces among the mass media or in publishing circles. In the 1980s and since then, when the use of credit cards became common, personal credit information began to be circulated. As the income of individuals, the makeup of their family, their transaction history and other details became available to financial institutions, such as credit card and credit loan companies, the public’s awareness of personal information protection increased. In the late 1990s and since then, through the spread of the Internet in Japan, information on the personal interests of individuals has also been accumulated through the history of their purchases made through online shopping sites, and thus the personal characteristics and trends in the purchasing patterns of individuals have become apparent. On the other hand, unease about entering personal information and credit card numbers during these online purchasing processes has increased as consumers have become more conscious of privacy and personal information protection.

It is of course necessary to provide a certain level of personal information for online purchases in order to verify the buyer’s identity. Complete protection of personal information means that you will never use the service and this may disrupt the smooth flow of transactions in the society.

Consideration should be given to both utilization and protection

As an example of the utilization of big data, sometimes cases with a high social value, such as health management or disaster prevention, are introduced. Although the purpose of introducing these cases is based on social justice, we cannot rule out the possibility of covering up the risk of infringing on the right of an individual to privacy. For example, a TV documentary program featured an analysis of the evacuation status of individuals immediately after the Great East Japan Earthquake. This analysis was based on the personal mobile phone location information of individuals. If someone think it to be a critical infringement of personal privacy, then we will need to modify current privacy/personal information protection practices and the utilization of this type of information, even if it’s purpose was in the public interest, such as disaster prevention. This is the nature of “privacy,” and I am afraid that consideration of the privacy has not been fully discussed.

To utilize personal information in big data, such as location information or the general tastes and preferences of individuals, while keeping in mind concerns about privacy, it is important to fulfill both aspects of the importance of “utilization” and need for “protection.” The point here is to maintain a balance between them.

When a Japanese company causes a scandal, executives bow at a press conference to apologize. This is one of the Japanese-style business practices that are very difficult for heads of foreign-affiliated companies to understand.

The handling of personal information differs between the EU and the United States

Because the Internet have no boundaries, international cooperation is crucial. However, powerful nations such as the EU, or the United States, have opposing views about personal information protection. Roughly speaking, the EU is inclined to tighten controls for personal information protection, while the United States aims to establish minimum rules, and leave the details to self-regulation.

The approach the United States adopts towards individual acts and self-regulation has the merit of action without legislative proceedings. It also enables careful consideration to be given to the issue from the standpoint of business operators. On the other hand, the basic principle of the EU is to establish independent supervising authorities that are authorized to impose substantial penalties. With the existing system, it is difficult for Japan to make business deals with European organizations. Thus, the establishment of the new legal framework for privacy protections critical, and I will continue to watch future movements in this area closely.

International situation regarding privacy/personal information protection

Minimum rules to comply and handling based on self-regulation are needed.

In the existing Act on the Protection of Personal Information, a few and comprehensive rules applies to everything. It is unreasonable to apply these rule to a wide range of personal data elements. The boundaries vary according to the intended use and purpose, and the entities that will use the data. Therefore, the rules should be coordinated in more detail in accordance with the more specific circumstances of a given field of activity.

The problem here is that there is no unified supervising authority. The EU countries have the Data Commissioner system and the United States has the FTC (Federal Trade Commission). But Japan does not have any such organization due to the adverse effects of its “vertically-segmented administration.”

The most important point is to establish a unified supervising authority with powers of investigation and enforcement. From this perspective, only the basic framework (such as the concepts and fundamental principles) should be provided in the Act on the Protection of Personal Information, and then individual acts and self-regulation should be enforced by industry and by field of activity. I think this system suits the Japanese people and society better from a historical point of view. In fact, access by mobile phone to harmful sites is limited by regulations as well as through the self-regulation of mobile carriers. This requires discretion and some cost, but this is a characteristic of Japanese way of protecting personal information.

As for privacy/personal information protection, it is important to review and examine different values and interests to produce a proper balance

Legislation from cultural and traditional viewpoints

The term, “privacy” came into use in the United States. But Japan must have had its own way of protecting privacy before it became a popular concept in the United States. According to a scholar conducting a comparative study of the history of privacy protection systems, the difference between the United States and Japan may be traced to lifestyles. That is, the difference between living in a house surrounded by extensive grounds compared to living in a house that is constructed close to others. The difference in the sense of morality or ethics, culture or tradition is strongly reflected in privacy issues, and such background issues cannot be addressed in the text of the law. As I am engaged in a comparative study of privacy/personal information protection, which is my field of specialty, I endeavor to take into account such actual legal and cultural situations.

It seems the EU does not consider that their way of handling personal information is all-encompassing. We need to make an effort to prove, through negotiation, that some Japanese ways of protecting sensitive information are superior to theirs, and are therefore more effective. Of course, to prove real effectiveness in privacy and personal information protection, we have to have factual validation of the data. Taking this into account, I am hoping that even more active discussions, with the consumers included, will take place here in Japan.


Professor, Department of Law, School of Law
Research interest: Cyber Law, Comparative Law, Comparative Study of Privacy/Personal Information Protection

Completed Doctoral Course, Graduate School, Division of Law, Hitotsubashi University, March 1998
Professor, School of Law, Meiji University, April 2011
Member of the board of directors, Japan society of Comparative law
Inspector of Japanese American Society for Legal Studies
Special Executive Researcher, Institute for Information and Communications Policy, Ministry of Internal Affairs and Communication
Chairperson of Coordination Committee for Telecommunication Consumer Support, Kanto region Ph.D. in Law, Hitotsubashi University