Resolution Calling for Designing Systems for a Digital Society where the Right to Control Personal Information is Ensured in Order to Protect Human Autonomy and Democracy in a Digital Society
The Japan Federation of Bar Associations (the “JFBA”) held a symposium entitled “Convenience and Privacy in Digital Society – Common Number System for Taxation and Social Security, Life-Logs, and Electronic Money” at the 53rd JFBA Convention on the Protection of Human Rights in 2010. At the symposium, we advocated for the effective protection of the right to control personal information while highlighting the reality of life-logs tracking the footprints of our activities in digital society, pointing out the problems with behavioral targeting advertising using the footprint and exposing the problems with the Common Number System for Taxation and Social Security which the then-government was aiming to implement.
12 years have passed since then and there has been a transformative change in citizens’ behaviors with the widespread use of smartphones and social media such as Twitter, Facebook, and Instagram, and the increased frequency of watching videos on online platforms like YouTube. The effectiveness of behavioral targeting advertising is now widely known, allowing companies to obtain the same level of sales with reduced advertising costs.
On the other hand, digital platform operators gain revenues by recording an immense amount of information which is impossible for individuals to keep track of, ranging from keywords typed into search engines by individuals, the individual’s search history for articles and watch history on YouTube, to the individual’s travel history accumulated by activating the GPS on their smartphone, and by using the information to predict the individual’s future actions. In digital society, activity history is subjected to profiling to the extent that it is no exaggeration to say that every bit of personal information about the individual is being dissected, putting our privacy at risk.
Another problem is that our access to information necessary for us to make autonomous decisions is not ensured. Sometimes we find ourselves surrounded by biased and untruthful opinions, unable to form decisions in a natural manner due to phenomena such as “echo chambers” which refer to situations where people with similar interests or opinions tend to form a community that reinforces their existing views, removing any opportunities to encounter different views, or a “filter bubble” which refers to a state of isolation where any information disagreeing with the individual’s views is automatically filtered out. Cambridge Analytica’s involvement in the 2016 United States presidential election scandal came to light and the firm was accused of intentionally influencing citizens' voting behavior by carefully guiding the voting behavior of each classification group based on voter profiling during the election. A system is needed to ensure citizens’ access to sufficient information to allow each citizen to make their own decisions and participate in a democratic society.
Under these circumstances, the Digital Agency was established and is about to exercise strong authority as a control tower for Japan’s “digitalization of society.” The policies formed by the agency are centered on increasing the number of the Individual Number Card holders among all citizens and encouraging the use of the Individual Number (My Number), aiming to thoroughly utilize data. The scope of application of the Individual Number has reached the area of administrative affairs that has little to do with the initial purpose of taxation and social security and there are no restrictions on private sector entities developing a database with the Individual Number Card. The legal system concerning protection of personal information was revised with the passing of six laws related to digital reform and there is a concern of weakening the protection of residents’ privacy by local governments as a result.
Furthermore, the use of facial recognition systems, including in police investigations, is spreading in Japan without any limitations or legal rules. In China, approximately 600 million street surveillance cameras with facial recognition functions monitor behaviors of people while searching the personal information database of all residents and being linked to social credit scores (a score given to the individual based on the evaluation of their creditworthiness based on various data on them). There is a concern that if Japan continues down this path, Japan will turn into a similar society. There are serious problems in putting facial recognition systems into practical use without giving sufficient consideration to privacy.
Despite having popular sovereignty and being the right holder of information, we may become mere objects whose data is collected, analyzed, and utilized by administrative organs and private sector entities, hindering the self-determination and self-actualization of each citizen as an individual. This could even result in the withering of civil society as a whole.
It is necessary to preliminarily incorporate privacy protection measures into the system design for digital society. If citizens themselves cannot participate in designing the system and have their opinions reflected, it will be difficult to protect privacy after the fact.
Having adopted “Resolution Calling for the Realization of Safeguards for the Right to Privacy in the Advanced Information and Communications Network Society” at the 53rd JFBA Convention on the Protection of Human Rights mentioned above, and noting that the activity of digital platform operators has significantly grown since the resolution was adopted and cross-cutting data use between public and private sectors is being strongly encouraged under the leadership of the government, the JFBA calls on the government to establish a legal system and principles as follows in order to protect human autonomy and democracy in digital society and ensure privacy and the right to control personal information.
- 1. A law that includes the following items should be enacted in order to enforce the implementation of the right to control personal information on digital platforms (including internet providers and telecommunications carriers) and uphold the foundation of democracy.
- (1) Prior consent shall be a requirement for obtaining information that enables the identification of user activity history including cookies. Services shall not be refused to those who do not give consent.
- (2) The type and scope of not only collected personal information but also information that may lead to the identification of the individual shall be clearly indicated, and efforts shall be made to disclose the results from using the information and providing it to third parties.
- (3) Users shall be granted the rights stated in the GDPR (the EU General Data Protection Regulation) such as the right not to be subject to profiling, the right to deletion, the right to data portability, etc.
- (4) As for AI algorithms applied to collected information (including those applied after deep learning) and data processing after the application, at least the basic structure of the process shall be disclosed and explained.
- (5) Self-regulatory rules regarding fake news and their implementation shall be carried out and the results of the implementation shall be disclosed.
- (6) Algorithms to ensure highly reliable information and points of contact with diverse opinions shall be set and implemented, and the results of the implementation shall be disclosed.
- 2. In order to substantively guarantee citizens the right to privacy and the right to control personal information, the following points should be specified through amending an existing law or enacting a new law.
- (1) The following parts of the Act on the Protection of Personal Information shall be revised to match the GDPR regarding privacy protection.
- (a) Information that is unnecessary and unreasonable to collect shall not be processed.
- (b) Protection shall be applied to information that may lead to the identification of the individual when combined with other information.
- (c) The right not to be subject to profiling, the right to deletion, the right to data portability, etc. shall be guaranteed.
- (d) The Personal Information Protection Commission shall be realigned as an institute dedicating itself to privacy protection with enhanced investigational authority, aiming to strengthen privacy protection.
- (2) Monitoring by public authorities themselves or through private sector entities by means of the exhaustive collection and searching of citizens' digital data shall be prohibited.
- (3)In order to prevent the Individual Number and the Individual Number Card from becoming the infrastructure for information monitoring by administrative organs and private sector entities, the Individual Number system shall be fundamentally reviewed, or the scope of the use of individual identification codes such as the Individual Number and the My Key ID shall be significantly limited.
- (4) Noting that the establishment of the Digital Agency and the Cyber Forces within the National Police Agency, in addition to existing government agencies which carry out information collection, has strengthened the collection management of personal information by public authorities, strict limitations on their monitoring authority and the exercise of that authority shall be defined, and a system shall be put in place to realize an independent third-party body in charge of overseeing the public authorities.
- (5) The use of facial recognition systems by either public or private sector entities shall be prohibited by law in principle, and strict conditions for the installation and operation of the systems shall be set. Also, the requirements on the installation and operation of surveillance cameras with the capability to supply basic data to the systems shall be clearly indicated, and their installation and operation shall be placed under the management and supervision of the Personal Information Protection Commission.
- 3. When promoting digital society in Japan, the government should uphold the following in order to democratize its digital policy, in addition to substantively guaranteeing citizens the right to privacy and the rights to control personal information.
- (1) The principle of consent shall be fully respected on the major premise that the privacy of citizens is to be guaranteed to the maximum extent possible, and a system shall be set up so that those who refuse to give consent are not disadvantaged and the usability and efficiency afforded to them is ensured within the scope of the system.
- (2) Privacy impact assessment shall be carried out in advance and the results of the assessment shall be disclosed, and the system shall be designed to reflect the opinions of citizens and preliminarily take into account privacy protection (privacy by design).
- (3) Local autonomy shall be respected to the fullest extent in designing a necessary system, rather than giving administrative efficiency the highest priority. Designing it at a local government level shall be permitted, and the opinions of local governments shall be sufficiently heard and reflected in the decision-making process.
- (4) A system shall be adopted to allow the participation of citizens. Until the system is put in place, at least half of the participants in the discussion about the system design shall be those representing the consumer and citizen side, not only those representing administrative organs and industry, to have their opinions reflected in the discussion.
- (5) As for accumulation, management, and operation of personal information that was generated online, a framework shall be established to allow citizens themselves to keep their personal data secret or hidden and have control over its sharing.
The JFBA is committed to protecting human autonomy and democracy in digital society.
We resolve as above.
September 30, 2022
Japan Federation of Bar Associations