Top>Research>Re-encounter of Protection of Privacy and Protection of Personal Information
Nobuyuki Sato
Professor of Public Law, British & American Law, Information Law, Chuo Law School, Chuo University
Areas of Specialization: Public Law, British/American/Canadian Law, Information Law
As Private university research branding project “Understanding of Diversity of Legal Systems in Asia-Pacific Region and Convergence towards Establishment of Rule of Law”, we have reported activities over the five times on legal culture, international trade (contract), dispute resolution, etc. This time will be the final article of this fiscal year, I would like to mention some research results on the subjects of the data privacy domain.
Although I used the term data privacy in the introduction above, this expression itself actually contains some problems.
If we refer to a part of the conclusion precedently without fear of misunderstanding, Privacy protection and personal information protection are actually different things (or similar but different), and as a concept to connect them, it is a question whether data privacy can be developed or not. So, it is one of the roles of this project to clarify it.
In the first place, the idea of privacy protecting as a right or legal interest was born in the United States in the late 19th century. At that time, America was undergoing rapid urbanization and industrialization, and along with that, tabloid newspapers specializing in gossip articles appeared. The problem at that time is that the traditional legal system can not offer any effective measures against these gossip newspaper articles. In other words, the simple law system at the time, which was not premised on urbanization or the emergence of mass media, typically defamation law, was not predicted to be a business of revealing private life. Under such circumstances, there was a demand for recognition of privacy as a new interest, and also a demand for recognition of “the right to be let alone” in response to these social changes, and this right was recognized at the beginning of the 20th century.
Under such circumstances, there was a demand for recognition of privacy as a new interest, and also a demand for recognition of "the right to be let alone" in response to these social changes, and it was approved in the beginning of the 20th century.
However, since the 1970s, the value of personal information has grown dramatically in conjunction with an increasingly-complex society and constantly-evolving computer technology. This has created concern for a new privacy violation that differs from exposure of lifestyles by the mass media. For example, an information on the past behavior of a certain individual can be collected without that person knowing, and is stored in a computer database. Then a company might secretly use this information at the time of job searches.
In response to the risk of such new violation, one idea is to protect as an extension of the conventional privacy rights. A prominent example of this approach is privacy rights as the right to control one’s personal information. In other words, discussion on the conventional concept of invasion of privacy rights has been limited to focusing on exposure by the mass media, within the process of collecting, saving, processing, and using personal information. However, in the first place, a person possesses the right to decide how their own personal information is used. Therefore, even if it is an infringement from the collection stage or by an entity other than the mass media, it is an approach to consider as privacy infringement.
Although, in Japan, such individualistic right was not understood until the end of World War Two, “The Utageno-Ato case” in 1964 The Tokyo District Court ruled that this concept was approved, and opened the road to the advancement of privacy rights in Japan.
However, there is a major problem with this approach. To begin with, when discussing conventional privacy rights, there is the issue of reconciling freedom of expression by mass media (and underlying the right to know of citizens) with privacy protection. Accordingly, the court verdict in the aforementioned “The Utageno-Ato case” established that privacy violation exists when there was public disclosure of matters for which disclosure is recognized as undesirable from the perspective of the individual in questions, based on the sensitivity of an ordinary person. This case is still upheld by the Supreme Court of Japan even today.
However, the idea of privacy right as the right to control one’s personal information right is regarded as a condition for discussing "diversity of individual values". In other words, in an advanced information society, the very question of when, how, and to whom one’s own information is disclosed during life depends on the selection of personal values. Privacy right is exactly what protects it. Then, there is very little room for the concept of the sensitivity of an ordinary person.
Here, when examining the relationship between “the privacy right as the right to be let alone” and “the privacy rights as the right to control one’s personal information”, they are not in a simple relation in which the former is subsumed by the latter. It is just a complex relationship which possesses conflicting elements.
Therefore, many countries (including Japan) have temporarily shelved discussions on giving basic constitutional recognition to privacy rights as the right to control one’s personal information. Instead, as much as possible, these countries take an approach which seeks to realize protection of personal information as system of positive law. It has led to such direction that Organization for Economic Cooperation and Development (OECD) in 1980, " Guidelines on the Protection of Privacy and international distribution of Personal Data" and its Annex (OECD 8 Principles). Although the recommendation uses the phrase of privacy protection, it does not encourage countries to implement privacy protection. Conversely, if each country were to implement protection of privacy based on independent standards, there would be interference with smooth international distribution of personal information. To avoid such interference, the context of the recommendation proposes the establishment of a global system for personal information protection with high communality. Although Japan also enacted the Act on the Protection of Personal Information in 2003, the fact that the purpose of the Act is not "protecting privacy" clearly indicates that it is based on the OECD Recommendation.
In this way, in many countries including Japan, the system that privacy protection and personal information protection is actually different has been established.
The definition of personal information typically shows the approach which separates privacy protection and personal information protection. For example, the Japanese Act on the Protection of Personal Information enacted in 2003 states the following: “The term "personal information" as used in this Act shall mean information about a living individual which can identify the specific individual by name, date of birth or other description contained in such information (including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual)” [Article 2-(1)]. In short, it is not whether it leads to violation such as infringement of peaceful life in private life, but only whether it is possible to identify individuals. This approach is shared by almost all countries and regions targeted by this research project. For example, in Hong Kong, the Personal Data (Privacy) Ordinance (Chapter 486) also defines personal information based on the possibility of identifying an individual.
The expansion of computer networks such as the Internet has created renewed concern to have expanded the extent that privacy will be influence by the collection, saving, processing, and use of personal information. For example, there is that an individual’s current lifestyle will be threatened by past personal photographs or videos which continue to exist on the Internet, or that the unified personal identification number concerns that multiple personal information which should not be combined originally are merged and lead to disadvantages in social life.
In response, in some countries and regions, they are beginning to try to unify again the two systems of privacy protection and personal information protection that have once been separated. This is a partial statutory enactment of the right to be forgotten which has been formed through the case law in Europe.
Furthermore, in Japan, the concept of "Special care-required personal information" was introduced by the major amendment to the Act on the Protection of Personal Information that was entirely enforced on May 30, 2017. In principle, permission from the data subject is required in order to acquire special care-required personal information.
Moreover, special care-required personal information must be handled with more care than normal personal information. For example, the opt-out method cannot be used when providing information to a third party.
In this way, when privacy protection and personal information protection are once again organically combined, the problem will arise due to differences of recognition of privacy in each country and region, and due to the difference in system design occurred in the context of it. As a result of relative separation from normal systems for privacy protection as based on the 1980 OECD recommendation, in fact, it can be understood that the personal information protection system has encompassed "technical commonality across borders", an area that is relatively unaffected by legal culture.
However, this foundation is about to change dramatically now. For example, the current Hong Kong law does not have a special provision on "sensitive data", but before the big development of EU law, Office of the Privacy Commissioner for Personal Data, which is personal information protection agency in Hong Kong, express strong interest in the trend of EU law. Actually, EU law restricts the transfer of personal information to countries and regions which do not guarantee a level of protection which is at least equivalent to EU law.
When "personal information protection", which is easy to ensure technical commonality, crosses borders and again encounters "privacy protection", respect for the legal culture of other countries will be indispensable. To determine the appropriate extent for the privacy protection, indeed, it will be necessary to engage in dialogue starting with ascertaining differences in legal culture.