Kojiro Murakami1"A Consideration on Categorizing Information Privacy Rights" is a peer-reviewed paper that provides a broad survey of information privacy rights to date, including the theory of the right to control one's own information, and proposes a new typology that synthesizes them.
- Murakami, K. (2023). A consideration towards categorizing information privacy rights. Ministry of Internal Affairs and Communications Academic Journal "Information and Communications Policy Research" Vol. 7, No. 1
Overview
The outline is as follows:
The importance and changes of information privacy rights
- The traditional "consent principle" and "notice and choice approach" have been emphasized, but the spread of IoT and AI has made it difficult to obtain effective consent.
- Legal theories regarding the right to privacy have been influenced, and the theory of the right to control one's own information was mainstream, but recent changes in the information environment have led to the proposal of new views.
Categorization of privacy rights
- The right to privacy can be divided into "informational privacy," "privacy of self-determination," and "territorial privacy."
- Information privacy rights are divided into three categories:
- Right to control your own information
- Right to properly handle personal information
- Right to keep private life private
Recent theories and their criticisms
- Koji Sato's theory:The view of Koji Sato, who advocates the theory of the right to control one's own information. He defines the right to privacy as "the right of an individual to decide to what extent their own information is disclosed and used." This is based on the right to pursue happiness in Article 13 of the Constitution, and is2and "Denotational Information"3The law states that proprietary information requires particularly strong protection, that intervention by public authorities is prohibited in principle, and that the distinction between proprietary information and denotational information is important.
- Criticism: The concepts of "personal information" and "control" are vague, and it has been pointed out that the handling of extensional information is particularly unclear. It is unclear to what extent the "misuse" or "accumulation" of extensional information constitutes a violation of privacy rights.
- Tatsuhiko YamamotoTheory: While viewing the right to privacy as the "right to control one's own information," Yamamoto advocates the "structural review theory (system control theory)" which places emphasis on the structure of information systems and databases. He argues that by reviewing the structure and architecture of databases, it is possible to address the broad impact on society. He also understands the content of the right to privacy in a multifaceted way, and taking into account that specific information can be derived from extensional information, he is notable for his view that outer confines information as well are subject to control. Yamamoto's view is based on the presence or absence of system defects, and is consistent with the Supreme Court ruling on the Resident Registry Network.
- Criticism: First, it is too focused on defining privacy rights in a centralized way and lacks the flexibility to consider multiple views. Furthermore, it is criticized for being too ambiguous in its concepts of "personal information" and "control," and for being too powerful in its approach to control extensional information without distinguishing it from inherent information.
- Doi Shinichi's theory:It provides a multi-dimensional understanding of the basis for the right to control one's own information, based on a two-fold classification of proprietary information and denotative information, with some intermediate classifications of information also suggested. The content of the right to control is divided into "control as a decision-making right" and "control as a check," with the former only being applied to proprietary information, in principle. Furthermore, it is notable in that it also recognizes the benefits of having personal information handled appropriately. This clarifies the right to control one's own information and increases its effectiveness.
- Criticism: The positioning of the "right to have one's information handled appropriately" is unclear. Also, the necessity of broadly recognizing this right without distinguishing between "personal information" and "extensional information" is questioned. Furthermore, it has been pointed out that the theory of privacy issues between private individuals is lacking.
- Otonomichi Exhibition Theory:It criticizes the right to control one's own information and reframes the right to privacy as "the right to have one's information handled appropriately." It takes into consideration how to respond to the information environment, including IoT and big data. It is modeled on Article 31 of the Constitution. In response to this view, Murakami argues that rather than modeling it on Article 31 of the Constitution, it should be concretized by referring to the OECD FIPs principles.
- Criticism: It is contradictory to seek "the right to have one's personal information handled appropriately" in Article 13 of the Constitution, while referring to the model of Article 31 of the Constitution. Another problem is that it does not clarify the specific cases in which the individual's consent is required. Finally, the theory is criticized for being difficult to apply between private individuals, as it is limited to cases involving private individuals versus public authorities.
- Takayuki Kato's theory:Aiming to reevaluate the right to privacy, he recommends the traditional right to privacy, "the right to keep one's private life private." He analyzes in detail the legal precedents of the UK, Ireland, and Japan, and particularly praises the definition and judgment criteria of the right to privacy in the "After the Banquet" case. He argues that in cases where the right to privacy and freedom of expression conflict between private individuals, it is excessive to recognize a strong right such as the right to control one's own information, and that it is appropriate to remain with the traditional right to privacy. He also recognizes the "right to have personal information protected."
- Criticism: First, it has been pointed out that the reevaluation of "traditional privacy rights" does not adequately address the new information environment. In addition, the targets of traditional privacy rights are vague, and the specific standards for application are unclear. Furthermore, the lack of explanation of the content of the "right to personal information protection" has also been criticized.
- Hiromitsu Takagi's theory:He criticizes privacy rights such as the right to control one's own information, and argues that data protection legislation should be based on a "decision-oriented interest model." He supports the views of Yong Bing and Fritz Hondius, and argues that the core of legal interests to be protected is the "principle of relevance."
- Criticism: Traditional Japanese theories of the right to control one's own information, such as those of Koji Sato, have emphasized control over the "flow" of one's own information, but isn't it necessary to reconsider this to include control over the "content" (relevance, accuracy, completeness, and recency) of one's own information? Also, with regard to Otonashi's theory of the right to appropriately handle one's own information, while "relevance" may already be taken into account to a certain extent, it seems appropriate to consider the appropriateness of the overall content, including accuracy, completeness, and recency.
Moving away from binary thinking
After considering the above, Murakami proposes moving away from binary shipping.
Breaking away from the idea of choosing between two options means criticizing the tendency in Japan to define privacy rights in a unified way and the debate over whether to choose traditional privacy rights (the right to keep one's private life private) or modern privacy rights (the right to control one's own information), and instead arguing that the coexistence of both should be allowed. In particular, rather than classifying them from the perspective of whether they are old or new, it is considered reasonable to allow the coexistence of three rights according to the strength of their effectiveness (the right to control one's own information, the right to properly handle one's own information, and the right to keep one's private life private).
Plural grounds theory and typology of information privacy rights
The theory of pluralistic grounds is a position that grasps the values that support the right to privacy in a pluralistic way and presents multiple grounds to respond to the diverse situations of privacy violation. For example, Tatsuhiko Yamamoto lists "personal values," "values related to relationship building," and "community-constitutive values." Recognizing multiple values in this way strengthens the foundation of the right to privacy.
Typology is an approach that divides privacy rights into several types according to these pluralistic values. Kojiro Murakami categorizes privacy rights into three types: "right to control one's own information," "right to properly handle one's own information," and "right to keep one's private life private," and clarifies the strength of each right. This is a systematic organization for dealing with various privacy issues, and is proposed as a framework that can also respond to the development of the information society.
A tentative proposal for a new typology of information privacy rights
Basic policy for categorization
First, we will organize the basis of the theory of pluralistic grounds. Specifically, we will classify the grounds for privacy rights into three rational categories: (3) personal grounds (personal values, property values), (XNUMX) relational grounds (protection of reasonable trust and expectations, protection of the weak), and (XNUMX) social grounds (democratic values, values that restrain government authority, anti-totalitarian values).
Next, information privacy rights are classified into three rights: the right to control one's own information, the right to properly handle one's own information, and the right to keep one's private life private, and a framework is adopted according to the strength of their effectiveness. The right to control one's own information is set as the strongest right, followed by the right to properly handle one's own information as a middle right, and the right to keep one's private life private as a weaker right.
In the case of a private citizen versus a public authority
When targeting specific information
Proprietary information is "information that pertains to the fundamentals of moral autonomy," and primarily refers to sensitive information relating to an individual's mind and body. When public authorities handle this information, they should be granted a strong "right to control one's own information." In principle, the acquisition and use of proprietary information requires the consent of the individual, and the right to request disclosure, correction, and deletion of information is also recognized. In addition, structural review of information systems and databases is important, and this includes control over the "content" of the information.
The standard for reviewing unconstitutionality is the "compelling interest standard," which requires that the purpose be indispensable and the means be limited to the minimum necessary. The Supreme Court ruling on the Criminal Record Inquiry Case (April 1981, 4) recognized strict protection for proprietary information, judging that "criminal records, etc., are matters that directly affect a person's honor and credibility, and even those with criminal records, etc., are protected from being made public without due cause."
When targeting denotative information
Extensional information is "individual information about external matters of life that are not directly or deeply related to the foundations of moral autonomy," and the "right to appropriately handle one's own information" should be recognized for the handling of this information. With reference to the OECD's eight principles, restrictions on collection, data content, clarification of purpose, restrictions on use, security protection, disclosure, individual participation, and accountability should be ensured. Individual consent is only required in exceptional cases, and the scope is limited. The right to request the disclosure, correction, and deletion of extensional information is also recognized, and a structural review of the information system is also necessary.
The standard for reviewing unconstitutionality is either the "standard of strict rationality" or the "standard of rationality," and judgments are made based on the confidentiality and importance of the information in question, and the nature of the regulatory action. In the Supreme Court ruling on the Resident Registration Network case (March 2008, 3), denotative information such as name, date of birth, gender, and address was found to be constitutional under the standard of rationality, as it has a low level of confidentiality, and it was also confirmed that there were no flaws in the system.
In the case of private individuals
In the case of private individuals, the violation of privacy rights mainly becomes an issue as a claim for damages under Article 709 of the Civil Code. Theoretically, the constitutional theory of private-individual effect is involved, so the interest situation in the conflict of interest is different from that in the case of public authority. Therefore, this paper will proceed with the examination based on the three grounds set out in the new pluralistic theory of effect (① personal ground, ② relational ground, ③ social ground).
In the case of specific information
With regard to proprietary information, the personal basis of "personal value" and "property value" is strongly recognized, and "social value" is also recognized to a certain extent. It depends on the case, but it is appropriate to apply the strongest right, the "right to control one's own information." In principle, without the consent of the individual, it is illegal to acquire, collect, hold, manage, use, and disclose or provide information. In addition, as a positive aspect, requests for the disclosure, correction, and deletion of personal information are permitted, and structural review is also required when the target is an information system or database. One example is the HIV testing case, where it was deemed illegal for the company to acquire information without the individual's consent.
In the case of denotational information
With regard to external information, there is a personal basis of "personal value" and "property value," but this is not very strong. As with the case of dealings with public authorities, the right to properly handle one's own information applies. The content of this right is modelled on the OECD 8 Principles, and although the principle of consent is not strictly adopted, the right to request the disclosure, correction and deletion of one's own information is recognised to a certain extent. A requirement of the right to properly handle external information is the structural review required to protect the security of information systems and databases. As an example, in the case of the submission of a list of Waseda University lectures, information was disclosed beyond the intended purpose, resulting in a violation of privacy rights.
When a compromise with freedom of expression is necessary
When a compromise with freedom of expression is required, the right to information privacy and freedom of expression often come into conflict. In particular, in cases where private life is exposed by the media, it is appropriate to apply the "right not to have one's private life arbitrarily disclosed" rather than the strong right to control one's own information. The ruling in the After the Banquet case listed the following three requirements as the standards for a violation of the right to privacy: (i) it is a fact of private life, (ii) it is deemed that disclosure is not desirable based on the general public's sensitivities, and (iii) it is not yet known to the general public. This achieves a balance between the right to information privacy and freedom of expression.
Conclusion
The right to privacy is divided into "privacy of information," "privacy of self-determination," and "privacy of territory," and it is concluded that the right to information privacy in particular should be viewed in a multi-dimensional way and classified into three rights: "right to control one's own information," "right to properly handle one's own information," and "right to keep one's private life private." Taking into consideration the strength of each right, the right to control one's own information is positioned as the strongest, and the right to keep one's private life private as the weakest. This view, which modifies and develops the conventional theory of the right to control one's own information, is not a novel theory but rather a systematization of existing leading views.
However, many issues remain to be addressed, such as the definition of the specific scope of unique information and descriptive information, the further specification of the content of privacy rights, and the relationship between information privacy rights and personal information protection legislation.
footnote
- Professor, Institute of Information Security
- It is "information related to the fundamentals of moral autonomy" and refers to "information related to the fundamental aspects of an individual's mind and body (so-called sensitive information), i.e. basic information related to thoughts, beliefs, mind, and body, and information that may cause serious social discrimination."
- "Individual information about external life matters that are not directly or deeply related to the basis of moral autonomy." Specifically, this refers to personally identifiable information excluding specific information and sensitive information.