Covid-19 and Data Protection in Japan, by Hiroshi Miyashita

This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com.State of Emergency in Japan

The COVID-19 outbreak has been challenging Japan’s commitment to privacy and data protection under the state of emergency. It is crucial to balance between privacy rights and public interest during this pandemic outbreak.

The first case of COVID-19 infection was reported in Tokyo on 15 January 2020, and the number of COVID-19 positive cases in Japan reaches 22,450 cases with 984 death as of 16 July 2020. On 7 April 2020, Prime Minister Abe issued the Declaration of a State of Emergency under the Act on Special Measures for Pandemic Influenza and New Infectious Diseases Preparedness and Response. The Special Measures Act does not include compulsory measures such as a lockdown; however, the soft power of this legal instrument aims to nudge Japanese citizens into exercising self-restraint. The state of emergency was lifted across Japan on 25 May 2020.

However, there are concerns of a second wave of COVID-19 hitting the Japanese islands, as there has been a gradual increase in infection numbers since late June 2020, which once again brings to the fore our commitment to privacy and data protection in Japan.

General Issues on Privacy in the Context of COVID-19

There are several COVID-19 related privacy issues in Japan. First, at the initial stages of the spread of the infection, local governments reported individual infection cases while paying attention to the privacy of the concerned patient. The Act on the Prevention of Infectious Diseases and Medical Care for Patients with Infectious Diseases requires the Minister of Health and prefectural governors to published the details of positive cases while protecting personal information (Art. 16). In some cases, local governments have published the details of patients with some information about their background. For instance, during a state of emergency, a female patient took a long-distance bus to attend a barbecue party even though she had the initial symptoms of dysosmia and dysgeusia. Her social media account was disclosed and her private information was uploaded on the internet to attack her irresponsible behaviour. The Ministry of Health, Labour and Welfare (MHLW) issued the basic policy on 27 February 2020 specifying that some items of the patient details such as name, nationality, and occupation, should not be disclosed in line with data protection principles. In addition to identification of an individual through social media, there was a data breach case on 5 May 2020 where Aichi Prefecture published by mistake a list of 490 patients including the patients’ name, the name of hospitals, and the dates of hospitalisation in the prefectural official homepage. Aichi Prefecture later issued a public apology with a compensation payment of 40,000 yen (approximately 325 EUR) to each patient.

Secondly, in the employment context, the Personal Information Protection Commission (PPC) issued its new Q&A on sharing personal data to a third party even when the data subjects’ consent is absent, in order to prevent secondary infection. The Japanese data protection law authorises sharing personal data to a third party in case of protection of life, body, and property, or a special need to enhance public hygiene (Act on the Protection of Personal Information Art.23(1)(ii)(iii)). In addition, the PPC clarified that the activity records of an infected employee can be shared with the public health authorities under the Act on the Prevention of Infectious Diseases and Medical Care for Patients with Infectious Diseases.

Thirdly, a media report raised the issue of the sharing of personal data of infected individuals by the local health authorities with the police. The police need such personal data for maintaining police force and public order. The policy for sharing personal data does not specify whether its scope includes the behavioural patterns, histories, and relationships. The sharing strategy is based on voluntary disclosure according to an interpretation of ‘a reasonable ground’ for using personal information in executing an administrative activity (Act on the Protection of Personal Information Held by Administrative Organs Art.8(2)(iii)). Thus, local health authorities are expected to provide necessary personal information to the police, but can deny a request for information from the police if they believe that there is a possibility for privacy infringement.

Social Media Survey and Big Data Analytics

On 27 March 2020, the MHLW, along with other Ministries called for collaboration with social media companies to conduct surveys on health conditions. LINE, a social media company with 83 million users, which amounts to nearly 67 percent of the Japanese population, contributed to this survey in April 2020. Approximately 30 percent of the users responded to this survey. This survey focused on whether users have fever to predict the spread of COVID-19. Major mobile phone companies also contributed to big data analytics using the spatial statistics data to map the people’s movement. These companies have taken care not to violate users’ privacy by using only anonymous or statistical data.

COCOA App

COCOA (Contact-Confirming Application) , a Japanese version of contact tracing app, was officially launched on 19 June 2020, with the privacy policy available in Japanese, English, and Chinese. The app warns users of their risk of possible infection if they have been within 1m of an infected person for more than 15 minutes. The MHLW found a functional defect in the app as the warning notification did not work for the first two weeks, and a week later, the app stopped the warning notification again.

The COCOA app is robustly designed for privacy protection with the Apple-Google application program interface (API) and Bluetooth technology. The Japanese government had made preparations for this app since early April, including evaluating the planned schemes in Germany, Switzerland and Estonia as offering the systems with the best privacy protection.

First, the use of the app is completely voluntary. As of 16 July 2020, the number of downloads of this app was approximately 7.26 million, namely 5.7 percent of the total Japanese population, and there were 16 positive cases reported through this app. In Japan, 64.7 percent of the population use smartphone, and the government encourages these users to download the app. Second, the app does not collect the names, phone numbers or geolocation data, but uses pseudonymous data. MHLW operates the Management System for a database of COVID-19 infected persons, which retains ‘a processing number’, a randomly assigned number, to confirm that the app user tested positive for COVID-19. According to the consideration notes in government meetings, an app user can be identified by matching a processing number and a unique ID for the purpose of issuing waring notifications. Third, the app operates through a decentralised scheme. The unique IDs are collected in individual smartphones, and thus there is no risk of massive surveillance. Fourth, the source code is open to the public. Hacker experts have concluded that this app has no major security defects. Finally, the app has a strict retention period of 14 days for data of diagnosis key.

The operation of contact tracing apps is slightly different in Japan compared to how such apps are managed in the EU. For instance, there is no independent supervisory authority in Japan to audit this app since the Japanese PPC does not have jurisdiction over the public sector. Furthermore, no data protection impact assessment has been carried out for this app in Japan. There were certainly parliamentary debates regarding this app, but no public consultation in launching this app. In Japan, there was almost no voice such as introducing geolocation tracking or managing personal data through a central database.

`Privacy Positive` with an Effective Measures

In employing the COCOA app to notify users about possible COVID-19 positive cases, the Japanese government and stakeholders acknowledge the importance of being ‘privacy positive’. From the experience of previous emergencies, such as the Great East Japan Earthquake in March 2011, it is clear that Japanese citizens respect personal data protection even in an emergency.

There are indeed some concerns and criticism about too much emphasis on privacy, in particular non-disclosure policy or inconsistency of publishing the details on the patients among local governments. Being ‘privacy positive’ does and should not mean that Japanese citizens are willing to give up effective and scientific public health measures against the COVID-19 outbreak. Additional measures including the big data analytics and the COCOA app will support public health policies.

At the time of writing this report, it was clear that in Japan, a state of emergency does not undermine the fundamental value of privacy among Japanese citizens.

Hiroshi Miyashita, Associate Professor of Law (LL.D.), Chuo University (Tokyo, Japan). His areas of academic interest include constitutional law and information law.