The Journal The Authority on Global Business in Japan



Changes to Japan’s Privacy Law
How proposed amendments could harm or help innovation

On July 16, the ACCJ Internet Economy Task Force (IETF) released a viewpoint titled “GOJ Policy Review on the Protection and Utilization of Personal Data.” As part of ongoing discussions on the topic, the chamber co-sponsored the “Third Multistakeholder Forum: A New Privacy Framework for Japan” with the Keio International Project for the Internet & Society on July 9.

A panel was convened to discuss proposed revisions by the government of Japan to the Personal Information Privacy Law, drawing on stakeholders from academia, the legal profession, and the broader business community.

Among the speakers was Jim Foster, IETF senior advisor, and Yoshitaka Sugihara, IETF chair. Before the forum began, Foster and Sugihara spoke to the ACCJ Journal.

Japan’s privacy law—passed in 2005—is 10 years out of date, Foster explained. At that time, he said, online commerce, Facebook, social media, and similar technologies were in their infancy. In 2014, that has all changed.

Cloud service companies, Foster said, know who most of your friends are, where you bought the shirt on your back, and whether you prefer ramen or sushi. The business model of many Internet companies is based on collecting and packaging vast amounts of personal data—also known as Big Data.

The IETF’s position, Foster said, is that “we want companies to be able to aggregate and use this data, with appropriate controls, to the benefit of consumers, through the introduction of new and innovative services.”

Both the government and the privacy law should facilitate the use of such de-identified data (i.e. information that cannot be linked to a specific individual) for commercial purposes, Foster continued.

The challenge is how to develop a multistakeholder process—involving various members of the business world, academia, and the broader community—so that data can be both shared and protected.

Foster explained that Japan’s 2005 law has a very narrow definition of personal data, and, as a result, has acted as a brake on online enterprise. Companies have been reluctant to deploy new services due to concerns that they might violate the law and incur reputational damage.

Because American businesses are market leaders in global online services, they need to be actively involved in developing a new privacy framework for Japan in cooperation with Japanese civil society.

Sugihara echoed these sentiments. Though favorable to business, the draft amendments, he said, are ambiguous on third-party obligations to protect data and on the role of a proposed data protection agency. He warned of challenges yet to be faced in raising public awareness of potential privacy issues.

The government’s “Policy Review of the Protection and Utilization of Personal Data” was open to public comment through July 24, and a video recording of the forum is available on the website of the Keio International Project for the Internet & Society ( •

Viewpoint released on July 16, 2014

The ACCJ recommends that the government of Japan:
• Promote the utilization of personal data for commercial purposes;
• Adopt a dynamic approach to the protection of personal information;
• Involve the multistakeholder community in the rule-making process;
• Eliminate the overlapping of authorities within the GOJ for data protection;
• Clarify the definition and scope of personal information;
• Permit the transfer of de-identified data to third-parties;
• Facilitate the obtaining of consumer consent for repurposing data usage;
• Clarify the procedures for data disclosure and deletion;
• Consolidate the reporting requirements in cases of data breaches;
• Minimize restrictions on cross-border data flows;
• Avoid conflicting legal frameworks; and
• Ensure due process is followed and seek constructive solutions to data breaches.