Prof. Ishii became a lawyer at the youthful age of 25. She felt keenly that a lawyer needed to gain experience in society to be effective, so she left the law office where she was working to join the legal department of a private enterprise. At a time when the newly established Act on the Protection of Personal Information ("Privacy Act") was on Japanese citizen's minds and she had been handling corporate compliance, Prof. Ishii became interested in issues surrounding the protection of personal information. After switching over to the world of research, the area of research she chose was legal issues involved in privacy and the handling of personal information. Prof. Ishii explains that the basis for the legal imperative to protect personal information as a privacy right is found in Article 13 of the Constitution of Japan, which states, "All of the people shall be respected as individuals. Their right to life, liberty, and the pursuit of happiness shall, to the extent that it does not interfere with the public welfare, be the supreme consideration in legislation and in other governmental affairs."
The Act on the Protection of Personal Information was instituted in May 2003 and went into full effect in April 2005. The law created a legal foundation by which every individual in society could safely reap the benefits of information technology ("IT"). The law is now in its 10th year of implementation, yet it is not actually designed to directly protect personal information. Rather, it is a regulatory law directed at businesspeople who handle personal information. So unless there is some kind of mishandling or lapse in the management of customer information that has been appropriately acquired, the law has not been violated. Even if a violation of the Privacy Act occurs, the supervisory authorities only issue a recommendation and directive; only if the directive is breached is the businessperson subject to imprisonment of up to six months or a fine of up to 300,000 yen. To date no penalties have ever been assessed under the law. But even without such penalties, a company found to have leaked a large amount of customer data suffers a significant blow to its image in terms of consumer trust. In the Benesse incident that occurred in July 2014, customer information that was being properly protected and managed was stolen by a temporary employee in charge of systems management, who sold the data to list brokers. In this case, what crime was the suspect who stole the confidential data accused of? In fact, he is being charged only of violating the Unfair Competition Prevention Law, an entirely different law.
Finding time in her busy schedule to write, Prof. Ishii is an author and co-author of important books and articles that address international comparisons and various legal precedents and cases.
Various countries have taken differing approaches to protecting personal information. In the United States, where there is an aversion to government intervention, the system is based on voluntary restraints. The U.S. has nine major data (name list) brokers that trade in such personal information, and one prevalent way of thinking in the country is rather than regulate such companies by law, to allow the market to drive out any firm that is known to have stolen data. Even major Internet companies are permitted to autonomously manage private data. In European countries, by contrast, there is a trend to create idealistic systems, but current realities make the strict implementation of such systems difficult. The pace of IT advancement and globalizing social trends has been so fast that laws cannot keep up with every development. Big data is one example. Balancing corporate schemes for collecting, analyzing, and using such data with the protection of personal information is an issue that fundamentally cannot be resolved through the revision of laws, says Prof. Ishii. At the same time, greater information literacy among individuals needs to be encouraged in society.
In Japan, with its strong village-like social structure, the objective concept of privacy never really existed before. It was imported through the westernization of society. As the protection of privacy does not mesh well with legislative measures in Japan, a third-party body (privacy watchdog) was set up to carry out law enforcement that is neutral with regard to the legal system. The Number Use Act (Act on Use, etc. of Numbers to Identify Specific Individuals in Administrative Procedures) is a special law enacted in May 2013 under the Act on the Protection of Personal Information, based on which Japan established a third-party independent data protection authority called the Specific Personal Information Protection Commission. The commission is charged with the duty of overseeing all aspects of the handling of personal information, not only the Number Use Act. When revisions are made to the Privacy Act, this system allows various interested parties to engage in discussions regarding methods for processing information to make the data easier to use by reducing the specificity of personal information, based on which authorization is to be sought from the Specific Personal Information Protection Commission.
Up to this point, standards related to privacy and the right of likeness were created from a set of infringement suit judicial precedents. However, since the advent of online culture, many new issues have been cropping up. For example, if certain information from a person's past that the person doesn't want other people to know about is uncovered and published in a magazine article or book, the author and publisher can be sued. In the online world, if a person collects specific personal data on someone and exposes them on some kind of electronic forum, for example, although the act can be considered a violation of the person's privacy, who is to be charged? Since multiple anonymous individuals cannot be charged, is the provider of the service that hosts the information liable? In creating legislation and seeing to it that the laws are applied, it is important not to get caught up solely in immediate issues, but to see events from a broader perspective and stay focused on trends in the information world, including international trends. In the field of personal information protection, the once mainstream study of legal interpretation in legal research is giving way to legal research for determining legislative policy. Legal researchers played a key role in the enactment of the Privacy Act. This is evidence that, in this field in which new issues must now be addressed, the interpretation of laws created by the legislative branch of government can no longer be left up to those engaged in the legal profession as it had once been in the past.
Prof. Ishii responds calmly to requests from the media for comments and appearances on the recent Benesse incident
Popular TV dramas today often feature dashing attorneys and public prosecutors. In the real world, however, for a lawyer to be overly partial to his or her client is a danger. The lawyer's role is to find the best options for the client, is how Prof. Ishii sees it. Of course it is necessary to have strong convictions, but this should be done from a slightly detached stance, without demonstrating undue favor. As society becomes more diversified and the unfolding of trends accelerates, expectations will also rise for the rare legal professional who specializes in personal information issues that is Kaori Ishii.
Article by Science Communicator at the Office of Public Relations
Copyright © 2016 University of Tsukuba All Rights Reserved.
1-1-1 Tennodai, Tsukuba, Ibaraki 305-8577 Japan