Data Protection in Japan

Comprehensive data protection in Japan is fairly recent. Until 2003, data protection was still governed under much two earlier ‘ information society initiatives: firstly, the Act for the Protection of Computer Processed Personal Data Held by Administrative Organisation (1988) and secondly, the Protection of Computer Processed Personal Data Act (1990), which are based on the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These laws were limited an applied only to the state, and within that, only to some national government organisations rather than all of them.

Lawyers and those concerned with privacy within and without government were well aware of these limitations, and in the late 90s, a special Privacy Issues Study Working Group was set upby the Electronic Commerce Promotion Council of Japan (ECom). This committee issued Guidelines Concerning Protection of Personal Data in Electronic Commerce in the Private Sector in March 1998. The Chair of that committee, Professor Masao Horibe, provides an account here.

Subsequently, a Personal Data Protection Legislation Special Committee was established in January 2000 under the Advanced Information and Telecommunications Society Promotion Headquarters (now the IT Strategic Headquarters), a body responsible directly to the Japanese cabinet. This body has issued all the laws and directions regarding IT, e-Japan etc.

The need to “protect personal data” (kojin deta) was mentioned in Article 22 of the Basic Law on the Formation of an Advanced Information and Telecommunications Network Society within the rubric of ‘security’. This was followed up by the e-Japan strategy of January 2001, which under the section on the Facilitation of E-Commerce, recommended that “Necessary legislative measures should be taken to win the confidence of consumers, including submission of a bill to protect personal data to the ordinary session of the Diet in 2001.”

The Bill was introduced in March 2001, but as a result of concerns about its effects on the freedom of the press, was left to fall by 2002. However the Personal Information Protection Bill was passed in 2003, one of five bills with implications for data protections to be passed in that Diet session.The bill came into force in 2005. I’ll discuss the content and operation of the bill later, but there’s a good summary in English from when the Bill was passed here.

The one particularly interesting thing to note here is that it doesn’t designate or establish any one body to oversee the operation of the law or the enforcement of rights, or deal with complaints as in European countries and Canada, for example, Instead it keeps data protection as an internal matter for designated government ministries (and for companies), with legal action an option if all else fails. The law is generally on the side of data flow and commercial / administrative convenience, which is not surprising given its origins in industry-led e-commerce promotion organisations.

A quarter of UK databases break privacy laws

This is massively important because it is based not simply on a financial, political or even an ethical position, but on the database projects’ respect for existing law. They are simply illegal…

A new report for the Joseph Rowntree Reform Trust by a very credible largely Foundation for Information Policy Research (FIPR) team that combines engineers, lawyers, software developers, and political scientists, has concluded that a quarter of the UK public-sector databases are illegal under human rights or data protection law. It also looks at UK involvement in some European database projects and finds all of them questionable too.

The report rates the 46 databases on a traffic light system – green, amber, red – and argues that those rated ‘red’, in particular the National Identity Register and the Communications Database, and are simply unreformable and should be scrapped. This is massively important because it is based not simply on a financial, political or even an ethical position, but on the database projects’ respect for existing law. They are simply illegal, and not just massively expensive, morally questionable or politically undesirable. In fact, a quarter of all the databases were found to contravene the law and more than half were ‘problematic’ (i.e. open to challenge in court) . All of those rated ‘amber’ (29 databases) the authors argue, should be subject to independent review.

There are a number of other major recommendations, including the reassertion of the necessity and proportionality tests contained in DP law, citizens should anonymous rights to access data, more open procurement of systems, and better training processes for civil servants. The most important and radical measures proposed, and entirely correctly in my view, are those concerning the location of data and the whole nature of UK IT development. For the former, the report recommends that the default location for sensitive personal data should be local, with national systems kept to a minimum – this appears to be rather like the ‘information clearing house’ system as opposed to central databases, that we proposed in our Report on the Surveillance Society, but better worded and justified! In the latter case, the authors simply note that fewer than 30% of government IT projects succeed at a cost of 16Bn GBP per annum and that there should never be a general and aimless government IT program, rather there should only ever be specific projects for clearly defined and justified (proportional and necessary) aims.

It is an excellent report and probably unanswerable in its logic. Tellingly, The Guardian report contains no response from any government minister…

‘Blacklisting’ firm shut down by ICO

For some time, I’ve been concerned about the little-discussed practice of ‘blacklisting’, the creation and sale of databases of workers thought to be troublemakers, radicals or union activists. Last year, I noted the failed attempt by the British government to legitimise this activity with the creation of the National Dismissal Register, and connected this to earlier surveillance of workers through the Economic League. See this more recent post where I summarised the story in a slightly different context.

But the Economic League, set up after WW1 and finally closed in 1993, had several offshoots. Now, as reported in most of the British press, one of them has been closed down by the UK Information Commissioner’s Office (ICO). ‘The Consulting Association’, a firm based in Droitwich, Worcestershire had apparently been operating for 15 years selling confidential information on construction workers to all the major building companies. According to the BBC, 3,213 workers’ names were contained on the list and were categorised by political affiliations and union activity etc.

Not surprisingly the firm was owned and run by one Ian Kerr, who was previously involved in the Economic League and who still seems to think he was doing nothing wrong, despite his past, and despite the fact that he had previously denied even the existence of this database. But he, along with all the clients named by the report, including Amec, Taylor Woodrow, Laing O’Rourke and Balfour Beatty and many others – there is a full list on the Guardian site – were breaking the Data Protection Act by illegally keeping and trading in personal information. We’ll see whether the big building firms get away with it; most likely they will simply claim that that they didn’t know the data was illegally acquired and traded.

Given the recent history of the National Dismissal Register to set up databases of troublesome workers, it is particularly ironic that minister, Peter Mandelson, is quoted as applauding this action by the ICO in the various reports.

German Corporations in Trouble over Surveillance

t seems that there is a mood in Germany for much stronger action, and a growing awareness that the country cannot, unlike in the UK at present, or indeed Germany in its own recent past, be allowed to slip into a situation in which surveillance becomes normal…

There is a major ongoing storm in Germany over the behaviour of its major corporations in spying on workers. There is a nice summary news report from the BBC which you can watch here.

The newest scandal emerged in January when it was revealed that the railway company, Deutsche Bahn, had conducted surveillance operations against thousands of its staff, both workers and management, possibly over years. The operations, with names like ‘Squirrel’, involved all kinds of intrusive internal espionage including tracking family members. The company’s aim was apparently to do with corruption and links to other rival corporations but the management have now admitted they went too far.

Internal security was also the reason behind the massive surveillance operations at Deutsche Telekom, the communications giant, possibly dating back to 2000. Here journalists and managers were targeted by a private detective agency. And of course then there was last year’s scandal over the way that the Lidl supermarket chain created a kind of Stasi-style operation at many of its stores and warehouses in Germany and the Czech Republic with secret cameras and operatives making detailed notes on the movements (especially toilet breaks) of its employees. According to The Guardian, the level of personal detail recorded by the store was incredible, one entry read: “Frau M wanted to make a call with her mobile phone at 14.05 … She received the recorded message that she only had 85 cents left on her prepaid mobile. She managed to reach a friend with whom she would like to cook this evening, but on condition that her wage had been paid into her bank, because she would otherwise not have enough money to go shopping.”

In the BBC report, the conclusion seems to be that better data protections laws are needed. Certainly this is true. But the cases involving corporations are important because they provide clear and comprehensible examples of how people ‘with nothing to hide’ can be targeted anyway and do have to be worried. There are enough of them too to show that this is not a series of isolated cases, but a part of a ‘culture of surveillance’. However it seems that there is a mood in Germany for much stronger action, and a growing awareness that the country cannot, unlike in the UK at present, or indeed Germany in its own recent past, be allowed to slip into a situation in which surveillance becomes normal. This means more than stronger DP, it means not allowing corporations and government to reduce fundamental liberties with arguments about ‘exceptions’. There seems to be growing awareness from the strong German Trades Unions in particular about this, we will see if this translates into wider social, and state, action.

At the Departamento de Policia Federal

Both human rights advocates and the police seem to be strongly in favour of the new RIC system as a means of social inclusion and to replace the chaotic and corrupt identification system based in individual Brazilian states at present, which allows anyone with any other form of ID to get a state Registro Geral card in each different state.

Departemento de Policia Federal, Brasilia
Departamento de Policia Federal, Brasilia

I have just come back from a very productive interview with Romulo Berredo, from the Director-General’s office at the Departamento de Policia Federal (DPF), who are the Brazilian equivalent of the FBI. There was a lot covered and I couldn’t hope to reproduce it all here. There were however a number of immediately interesting aspects.

The first was more evidence that the whole basis on which identity cards and database issues are being considered here is entirely different from the UK. Now I know this represents a police, and a state, view, but so far, both Brazilian human rights advocates and the police seem to be strongly in favour of the new Registro de Identidade Civil (RIC) system. This is both as a means of social inclusion and to replace the chaotic and corrupt identification system based in individual Brazilian states at present, which allows anyone with any other form of ID to get a state Registro Geral card in each different state. It is fairly easy to acquire 27 different identities in Brazil at present. And identification is important here. The great fear that many people seem to have – indeed it was called a ‘cultural’ characteristic by Berredo – is not the use of identification by the state as a form of control or intrusion but as a guarantee against the anonymity that would allow abuses by the state or indeed by other malicious persons. It provides a metaphysical and material kind of certainty and stability. The legacy of the last dictatorship was not so much an East German-style nightmare of knowledge and order but of corrupt and arbitrary rule.

It is this latter legacy which also drives the divisions between the different police forces in Brazil. The states-based Policia Militar (Military Police) and Policia Civil are both tainted in different ways by associations with authoritarian rule, and the former particularly with extra-legal execution and torture, and they continue to be regarded with caution, suspicion or even hatred by many Brazilians. The other police forces are also suspicious of the growing role of the DPF, which is often seen in terms of a power struggle not rational subsidiarity. Ironically then it is the states-based police forces that are dragging their heels over plans to create the kinds of national databases of criminal information that the UK has, and not for any libertarian reasons. In fact the DPF seem far more concerned with protecting human rights and defending the idea of citizenship, and because they are tasked with anti-corruption investigations have even arrested Senators and Judges, something unheard of even ten years ago. Of course those very same Senators and Judges are now fighting back, in a manner rather similar to Berlusconi in Italy, trying to alter the law to give immunities and protections. For example, handcuffing of arrested suspects was always normal until it happened to a Senator arrested for corruption. The Senate suddenly became interested in the ‘human rights’ of arrested suspects and passed a law limiting the use of handcuffs! Corruption at every level is still an enormous problem here, though Berredo argued that it was largely associated with those who had retained power from the years of the dictatorship.

The concentration on inclusion and joining-up government where it is clearly much needed does however lead to some gaps in thinking. The creation of new databases brings with it new duties and new potential problems of data-handling. As the privacy and data-protection law expert, Danilo Doneda, pointed out to me the other day, Brazil is in an almost unique position in not having any kind of regulator for privacy and information / data rights. He argued it was because the authorities just don’t see the need. Berredo confirmed this. He claimed that the DPF were trusted by the public – and relative to other police forces, that is certainly true! – and that they had to carry out their duties appropriately or they would lose that trust. It sounds nice, but it isn’t a good-enough (or legally-sound) basis for the protection of data-rights.

It all confirmed once again that Brazil is not yet a surveillance society – the state does not yet have the capabilities. There is no national database of fingerprints (even for convicted criminals) for example. But as Berredo said, it is moving in that direction. He was keen that there should be be limits. I liked the fact that he used this word. ‘Limits’ is a word that I found that the neither the UK government nor the European Commission seem to like, and they seem very unwilling to say what limits might be. However Berredo was quite clear that a technologically-driven surveillance future in which individuals could be tracked – he used the example of Google Latitude – was not one which he wanted to see. He recognised that he was both a policemen (at work) and a private citizen (at home) and that he, as much as anyone else, valued his privacy.

(Thank-you very much to Delegado Romulo Barredo of the DPF, for his openness, time and patience, and also to Agent Alessandre Reis, for his help)