Japan: Privacy governance guidebook
On 28 August 2020, the Ministry of Economy, Trade and Industry ('METI') and the Ministry of Internal Affairs and Communications ('MIC') jointly released a 'Guidebook on Corporate Governance for Privacy in Digital Transformation (DX) ver.1.0' ('DX Guidebook')1,2. Hiroyuki Masuda, Lawyer at One Asia Lawyers Group, analyses the privacy recommendations of the DX Guidebook and the benefits of their implementation for stakeholders.
Towards the era of Society 5.0, companies will play a key role in the economic growth and the emergence of social challenges by and through technical innovation utilising the several types of data and advancing services/products. Especially in the business sectors where personal data or data involving privacy is utilised, the needs for protecting the privacy of individuals and responding to privacy issues are increasing. As business models have been dramatically changing and technical innovations have been rapidly progressing, companies should strive to dedicate themselves to decreasing kinds of risks which may be caused by innovations.
'Personal information' or 'personal data' is protected under Act on the Protection of Personal Information (Act No. 57 of 2003) ('APPI') and companies are required to comply with this legislation. Nevertheless, there are some cases in which privacy issues arise and affect companies' business adversely even if companies are compliant with the APPI3, and some companies have failed to avoid fierce criticisms for their responses to such privacy issues. In some cases, such criticism may results in a serious problem threatening the existence of companies.
In such circumstances, companies should actively respond to privacy issues, proactively fulfil accountability to consumers and stakeholders, and gain trust from society. Appropriate risk management and gaining trust may improve corporate value in the age of rapid change.
Thus, the DX Guidebook aims to help companies deploy activities involving privacy and, as a result, enhance not only the value of their products and services but also the corporate and social value of the companies themselves.
The DX Guidebook is a 'guidebook' which companies should consider, rather than legislation with provides legal requirements. Therefore, non-compliance with the DX Guidebook will not always directly infringe specific laws and regulations. However, as the concept of 'privacy' and the scope within which 'privacy' can be legally protected as a personal right is variable with the times, the DX Guidebook recommends companies actively handle and make responses to privacy issues in addition to just being compliant with laws and regulations such as the APPI.
Who is targeted?
The DX Guidebook mainly targets companies which engage or promote digital transformation. However, the DX Guidebook does not limit its users.
The DX Guidebook is especially targeted to the following:
- companies which provide products or services by making use of personal data4 and which are expected to be urged to take care of consumers' privacy; and
- vendors which are trading with the above.
In addition, the DX Guidebook is targeted towards:
- personnel in managerial posts, etc. who are eligible to offer a proposal to top-level management or to business operators of the company; and
- managers and personnel in a division responsible for comprehensively addressing matters involving the utilisation or protection of personal data and others.
What is privacy?
In Japan, the right of privacy is not clearly protected under specific laws and regulations. However, privacy has been recognised as a personal right and adopted in several court judgments5. Privacy is traditionally construed as a legal right in respect to private matters not being published without good reason. Nowadays, the definition of 'privacy' has been developed in line with the advancement of information technology. The concept of 'privacy' now includes the right to control of one's own information.
The scope of personal information/personal data under the APPI and that of privacy is different, with the scope of privacy being wider than the scope of personal information/personal data. In addition, the concept of privacy can be varied with the times and by technology innovation.
The DX Guidebook mainly deals with 'privacy' as highlighted above rather than 'personal information' or 'personal data'.
Three requirements for top-level management
Based on the above, the DX Guidebook provides the following three requirements to which top-level management of companies should be committed in order to establish and ensure privacy governance:
- documentation of commitments to efforts for privacy governance;
- appointment of personnel responsible for privacy; and
- input of resources to efforts for privacy.
Requirement 1: Documentation of commitments to efforts for privacy governance
As a key challenge in corporate strategies, top-level management should clearly document their basic approaches or commitments to efforts for privacy and convey them to stakeholders inside and outside the company. Top-level management are required to ensure accountability for their actions in accordance with the approaches or commitments clearly documented.
Examples of such documentation include creating a privacy statement, establishing principles of conduct for the organisation, etc.
The purpose of the documentation is:
- to enhance awareness of privacy issues among employees in companies; and
- to make the adopted privacy protection principles and proactive attitude to address privacy risks known outside companies for gaining social trusts.
Requirement 2: Appointment of personnel responsible for privacy
Top-level management should appoint an officer responsible for addressing privacy issues across the organisation and grant the officer both power and responsibility.
It is essential for the organisation to implement the principles created under Requirement 1 above. Privacy principles will work efficiently by appointing the officer responsible for addressing privacy issues and ensuring that privacy issues are reported.
This officer will not always have same function as the role of data protection officer ('DPO') under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). While a DPO cannot hold a position within an organisation that leads him/her to determine the purposes and means of processing personal data, the DX Guidebook permits that such personnel can be in charge of addressing privacy issues even if he/she is in a position which can be involved in determining the purpose and means of processing personal data depending on the organisation structure.
Requirement 3: Input of resources to efforts for privacy
Top-level management should successively input necessary and sufficient business resources (human resources, goods, and money) and engage in the establishment of a system for privacy as well as the deployment, fostering, and securing of human resources. Such resources should be considered in advance preventively to be input into the corporate strategies, business, and system.
Key considerations of privacy governance
The DX Guidebook provides five key measures for privacy governance.
Measure 1: Establishing a system for privacy
It is desirable to establish internal controls, an organisation for privacy protection, and to collaborate with outside experts for the achievement of both business purpose and privacy risk management.
The department for privacy protection is expected to take following roles:
- to aggregate the information related to privacy in the company to find out privacy risks;
- to collaborate with the other departments for addressing privacy risks from the various perspective as well as achieving the business purpose;
- to constantly gather and share the cases, articles related to privacy inside and outside Japan;
- to establish network with the outside experts who are knowledgeable in privacy issues such as academics, consultants, and lawyers;
- to accumulate know-how based on the experience of consultation cases handled in the company and make it a strength of the company; and
- to report, communicate, and consult the officer responsible for addressing privacy issues not only in peacetime but also in case of emergency.
Measure 2: Formulating operation rules and raising internal awareness thereof
It is important to formulate rules for thoroughly operating such system and raising internal awareness of the rules.
Measure 3: Fostering a culture involving privacy inside the company
For the practical and efficient operation of the system outlined above in Measures 1 and 2, it is essential to foster a corporate culture to encourage individual employees to be aware of privacy.
Examples of fostering a culture of privacy inside the company are:
- periodical training, e-learning;
- referring to the company's attitude regarding addressing privacy issue in the internal handbook, etc.;
- distributing the handbook corresponding to the plan to address privacy issues;
- awareness raising to promote the activities of the officer responsible for addressing privacy issues;
- intensive training for the department handling personal data;
- training support employees transfer internally within departments; and
- including the department for privacy as a part of a periodic job rotation.
Measure 4: Communication with consumers
It is also important to disseminate the company's efforts, attract public attention to them and continuously communicate with consumers, including but not limited to publishing a transparency report.
Measure 5: Communication with other stakeholders
It is important to communicate with business partners, group companies, investors, shareholders, administrative organisations, industrial associations, employees and others regarding how the company proactively addresses privacy risk management for gaining social trust.
The meaning of privacy or potential impacts of actions involving privacy will change depending not only on target products and services but also on technological advancement and public concern. METI and MIC will continue to revise the DX Guidebook, appropriately ascertaining social trends.
Hiroyuki Masuda Lawyer
One Asia Lawyers Group
1. See: https://www.meti.go.jp/english/press/2020/0828_006.html
2. Full text available, only in Japanese at: https://www.meti.go.jp/press/2020/08/20200828012/20200828012-1.pdf; summary available at: https://www.meti.go.jp/english/press/2020/pdf/0828_006a.pdf
3. This is because the scope of 'privacy' is wider than those of personal information/personal data in Japan as explained later in detail.
4, In the DX Guidebook, 'personal data' includes not only personal information as defined in APPI but also any information related to the individual. Personal data used in the DX Guidebook is wider than those defined in APPI.
5. E.g. Tokyo District Court, Judgment, 28 September 1964; Hanrei Times (No. 165) P184