One year has passed since the European Union (EU) enacted the EU General Data Protection Regulations (GDPR) to protect personal data. In Japan too, the Act on the Protection of Personal Information (“the Act”) is scheduled to be amended in 2020, and recently, an Interim Report*1 summarizing the points of discussion related to the amendments was announced in this regard. With this, an increasing number of companies have started to believe that appropriate management and utilization of personal data is an important business issue. We asked Shintaro Kobayashi of Nomura Research Institute, who is familiar with the trends in personal data management, about the impact of amendments to the Act on companies and the possibility of using personal data.
Amendments to the Act to Respond to the Progress of Data Economy and Globalization
The Act on the Protection of Personal Information is reviewed every three years. Is it so?
In 1980, the eight principles outlined in the Organization for Economic Co-operation and Development (OECD) Privacy Guidelines became universal languages for handling personal data. These include basic principles for handling personal data, such as the "Purpose Specification Principle" and "Security Safeguards Principle". Since awareness regarding privacy is deeply rooted in the cultures of each country and can change with the times, specific rules have to be established according to the circumstances of each country. Therefore, Japan reviews its legal system every three years based on the OECD 8 Principles, while considering the progress of data economy*2 and the trends of globalization. The next amendment to the Act is scheduled for 2020.
How has this study changed compared to the previous study?
In the last amendment to the Act (fully enforced on May 30, 2017), an independent specialized organization called Personal Information Protection Commission was established, and the knowledge and experience that were previously distributed among ministries and agencies were consolidated. This is why the Personal Information Protection Commission is at the center of the next amendment, and examinations are being carried out to understand how data utilization can be effectively promoted while protecting privacy and how data can be exchanged safely between countries, based on data economy and globalization trends.
Focus on medium- to long-term benefits rather than temporary pain
What are the points of discussion in data utilization?
In the last amendment, the system of "anonymously processed information" was introduced to process personal information in such a way that individuals cannot be identified, and to prevent the restoration of such personal information. However, this system has not been used much due to strict constraints. Therefore, some argue that other than anonymous processing of information, which makes individual identification impossible, some of the obligations related to "pseudonymization" in which names or other information are replaced (can be returned to the original names through a collation table) can be relaxed to promote data utilization. Since it is difficult to understand the difference between anonymous processing and pseudonymization, a proper definition of the latter is also being considered.
When promoting the use of corporate personal data, it is important to strike a balance by letting individuals control it at the same time. However, the challenge is to grant individuals the right to suspend their use. Under the GDPR, individuals may withdraw their consent or file an objection to stop their information from being used; however, in the Act on the Protection of Personal Information, individuals can exercise it only when there is any mistake at company’s end. Without this limitation, if an individual is granted the right to voluntarily suspend the use of the data, companies will be required to keep track of what data has been agreed to be used for what purpose, on an individual-by-individual basis.
One should also be aware of the differences with overseas systems
For example, GDPR grants "data portability right" that enables individuals to transfer their data collected and accumulated by companies to other companies' services. It also stipulates that data transfer must be carried out in structured electromagnetic records. This also has competitive implications that allow companies other than Google, Apple, Facebook, and Amazon (GAFA) that are strong in data economy to use data accumulated by GAFA.
In Japan also, there have been discussions on making it compulsory for companies to provide information in electromagnetic form when responding to individual disclosure requests. Although it may put a burden on enterprises that are not able to systematically manage personal information, in the mid-to-long term, it will lead to the promotion of data utilization businesses such as information banks.
Industries can create independent rules to promote utilization
What kinds of issues are there in data protection?
In Japan, when any personal information is leaked, companies are obliged to make efforts to report the matter to the controlling authority. In the rest of the world, however, mandatory reporting is becoming a standard. There are various issues regarding the modality of this reporting obligation, but it is anticipated that Japan will also move in the direction of making it mandatory.
The penalty is also a big issue. In Europe and the U.S., penalties for information leaks and violations of laws and regulations may amount to billions of yen. On the other hand, Japan has a maximum penalty of 500,000 JPY. There are opinions that more stringent penalties should be imposed like Europe and the U.S. However, the country has not imposed any kind of fine so far in any case. Moreover, industries fear that it could undermine the use of data.
What kind of preparations should companies make?
The management and use of personal data is an inevitable challenge for all companies. As stated in the "Privacy by Design" concept, it is important for companies to assume risks in advance and incorporate privacy protection measures into their operations and systems.
When driving an automobile, if the brake does not work, one cannot speed up comfortably. In the same way, only if we have proper rules in place, data utilization would progress. However, since the Act on Protection of Personal Information is a general law, it is impossible to take account of individual circumstances within the industry. I think it is necessary for the stakeholders of each industry to hold discussions and develop independent rules for the protection and utilization of personal information.
- *1 Interim Report:
“Interim Report on 3-Year Review of the Act on Protection of Personal Information” by Personal Information Protection Commission
(April 25, 2019)
- *2 Data economy:
Economic activities that generate value from the vast amount of data generated through social activities
Nomura Research Institute, Ltd.
Corporate Communications Department