Washington International Law Journal


In 1890, when Brandeis and Warren wrote The Right to Privacy, Japan did not have a word for privacy. Today, it is closely guarded in Japan: the European Data Protection Board has found privacy protections in Japan “equivalent” to those in the EU. This research explores the evolution of privacy law in Japan, focusing on data breach and the legal rights and obligations associated with it. The writing is broken up into two parts: This article discusses private enforcement of privacy norms, as it is the courts that first established and continue to define privacy rights in Japan. A separate article will address the public law regulation of privacy, including discussion of Japan’s Act on the Protection of Personal Information and its regulatory enforcement. Examining the civil litigation that has defined privacy norms in Japan, one finds three distinct periods: early judicial decisions that create privacy rights by weaving together pre-existing legal doctrines in new ways; a period of expansion where courts recognize a legal injury for disclosure of even basic personal information; and a recent Supreme Court decision that expressly recognizes a remedy for the mental distress that arises from a data breach, even without proof of financial harm. In comparison to the public law cases, one also finds a public law-private law divide. While some Japanese courts in data breach litigation suggest individuals possess a “right to control” their own personal information; in cases involving the central government, one finds no more than a right to the “reasonable handling” of that information. A cross-jurisdiction comparison suggests Japan seeks middle ground. Japanese courts define privacy rights more broadly than in the U.S., but not to the extent found in jurisdictions governed by the GDPR. In doing so, Japanese courts use tort law to balance interests: to compensate plaintiffs; to incentivize defendants’ compliance with industry standards and government regulations; and to reward defendants who implement post-incident remedial measures. The result is a set of legal norms that clearly recognize privacy rights, but also limit damages. These legal norms, in turn, have produced stable market norms that now allow parties to settle most data breach claims. Privacy is no longer a foreign concept in Japan.