Nomura Research Institute (NRI) is planning a series of eight presentations by consultants who work with clients every day to solve social issues on the ground, with the aim of providing information on social issues that the Consulting Division is focusing on and the approaches being taken for solutions.
The theme of the first presentation is “The Era of Privacy Governance,” touching on trends in privacy protection laws and regulations in the United States and Europe, and proposing approaches to revising Japan’s Act on the Protection of Personal Information (“APPI”) and to the privacy investments required of companies.
We interviewed Shintaro Kobayashi of the ICT Media Consulting Department, who gave the presentation.

Repeated Amendments to the APPI

Since around 2010, when smartphones and social media first appeared, the utilization of personal data has been gaining momentum. Inevitably, this has brought with it the issue of privacy governance—that is, how companies balance the protection and utilization of personal data. This presentation summarizes this topic, which has recently been the subject of rapidly growing interest worldwide.
First, I discuss “Why is the APPI being repeatedly amended?”, followed by the topic “Will regulations on GAFA revitalize data distribution? Then, in light of these two discussions, I propose “What kind of ‘privacy investment’ is required of companies?” There are two main reasons that the APPI has been repeatedly amended since its enactment in 2003. One is that there has been an endless stream of flaming incidents. At the time of the first amendment to the act in 2015, there was much discussion about flaming incidents on Benesse and Suica, and at the time of the 2020 amendment, the discussion centered on Rikunabi, LINE, and Yahoo! Japan. I should note here that in many of these cases, there were no clear legal violations. Rather, the utilization of personal data amid an ambiguous interpretation of the law led to the flaming incidents.
Behind the flaming incidents was the fact that the companies’ personal data management systems did not address data utilization. As companies started actively working on utilizing personal data, it became necessary to manage data across business divisions and groups, rather than within a single system, but many companies had not been able to achieve this. In their attempts to promote the use of personal data, they neglected to consider consumers, leading to flaming incidents.
The second reason for the repeated amendment of the APPI is the acceleration of privacy protection around the world. The drafting of the EU General Data Protection Regulation (“GDPR”) in 2012 was followed by discussions on legal reform in Japan and the United States.
This trend will presumably continue, with Japan’s next legal amendment scheduled to take place in three years. In Europe and the U.S. as well, there are constant discussions about legal reform and new legislation. Global companies will be forced to respond.

Will Regulations on GAFA Revitalize Data Distribution?

Personal data used on websites in Japan is mostly concentrated among GAFA, with web services in particular concentrated within Google. DataSign, a privacy protection solutions provider, surveyed 160,000 sites in Japan to determine what web services were embedded in them, and found that nine out of the top ten were Google services. GAFA’s dominance also extends into the real world, with data being aggregated in the automotive, smart home, and wearable device sectors.
Since this future has been foreseen for some time, the draft GDPR published in 2012 created the “data portability rights”—rights that entitle individuals to take their personal data with them. Data portability rights can be broadly divided into two types: “indirect transfer,” in which an individual receives the data and transfers it to another controller, and “direct transfer,” in which the data is transferred between controllers without the individual’s involvement. GAFA are investing significant funds to address data portability, including with the launch of a direct transfer portability service and the establishment of the Data Transfer Project (DTP).
However, consumers are not necessarily demanding that companies utilize their personal data. According to an NRI survey, the most common feature/service that consumers want from information and communication services is a feature/service that makes it possible to erase the data that companies have about them. Even if data portability is realized under these circumstances, there are concerns that the data will remain among GAFA or be erased without being distributed. Companies need to gain the trust of consumers and take action to get their personal data back from GAFA.

“Offensive” and “Defensive” Privacy Investments Required of Companies

In the times ahead, companies unable to invest in privacy protection will be weeded out. Therefore, I propose both “defensive” and “offensive” approaches to the privacy investments that will be required of global companies going forward.

The first step in “defensive” privacy investments is to appoint a privacy protection officer and build a privacy protection organization that will be the main driver of activities. Until now, there has been no core supervisor or department for privacy protection. However, in building privacy governance, these two elements are essential.
It is important to note that privacy protection and information security measures are two different things. Japanese companies have the tendency to try to respond to the APPI as an extension of the information security measures they have focused on thus far. However, in the utilization of personal data, communication with consumers, such as responding to disclosure requests and obtaining consent for data utilization, is important. Therefore, I believe that these two things should be separated and should be handled by separate supervisors and organizations.
There are other important issues involved in establishing privacy protection organizations, and privacy governance cannot be established overnight. I believe that it would be preferable to build them step by step according to the actual situation of each company.
Next we have “offensive” privacy investments. In order to bring in the data concentrated among GAFA, it is necessary to establish methods and systems to centrally manage personal data. Data that has until now been scattered across various business divisions and group companies must be centralized and well organized. If this is done thoroughly, consumers will be able to transfer their data from GAFA to ordinary companies and potentially receive services that are unique to such companies.
Meanwhile, it is also important to develop areas where you can create your own rules and utilize data. At the beginning of this article, I mentioned the flaming incidents that were caused by the use of data in a gray zone (an area where the scope of application of laws and regulations is unclear), and in order to prevent such situations from occurring and to utilize personal data safely and securely, companies need to create their own rules and create a white zone.
As an example, consider the use of data based on the “opt-out” method. “Opt-out” is a method in which, instead of obtaining an individual’s prior consent for the use of his/her personal data, the use of the data is stopped if the person requests it. While the opt-out method allows more data to be used than the opt-in method, which allows personal data to be used only with the consent of the individual, there is a risk of flaming because consumers have not clearly expressed their intentions. While this ensures anonymity in data utilization, it will be necessary to secure the trust of consumers and society by putting together a code of conduct and publishing it after reviewing it with stakeholders in advance.
The era of privacy governance has firmly arrived, not only in Europe and the United States, but also in Japan. Companies need to make “defensive” and “offensive” privacy investments so that consumers can enjoy the benefits of the data economy with peace of mind.