Japan's data privacy laws have been in force for nearly a decade, sufficient time for evidence of their enforcement to become apparent and be assessed. After explaining briefly the legislative and administrative structure of Japanese data privacy law, this article examines each aspect of the legislation (and associated administrative practices) relevant to enforcement and considers the available evidence of its effectiveness. The article documents the very limited evidence of use and effectiveness of each of the possible types of statutory enforcement in relation to the public sector, and the private sector, and by the co-regulatory systems. It shows that the enforcement mechanisms in the Japanese system are not used to any significant extent, that the ways in which they work are not transparent enough, and that the range of enforcement mechanisms is very limited. Strong but unsubstantiated claims are made by government bodies and academics that Japanese businesses comply with the legislation without being required to do so, but the extent of compliance is a separate enquiry outside the scope of this article. The result is a system that asks observers to take it on trust that it is effective. The absence of evidence is in itself a deficiency, a failure to provide transparency of the enforcement system. Put politely, the effectiveness of Japanese data privacy law remains a puzzle. Major reforms are proposed by the government which may provide much more effective means of enforcement, but are only likely to succeed if they also make that enforcement more transparent.
ASJC Scopus subject areas