On June 24, 2014, Japan's Strategic Headquarters for the Promotion of an Advanced Information and Telecommunication Network Society ("IT Strategy Headquarters") within the Cabinet Office announced its "Policy Outline of the Institutional Revision for Utilization of Personal Data"(the "Policy Outline").
Following the December 20, 2013 publication of the IT Strategy Headquarters' decision titled "Directions on Institutional Revision for Protection and Utilization of Personal Data," and further discussions made by the personal data study council established within the IT Strategy Headquarters, the Policy Outline was decided with a view to submit a bill to amend the Personal Information Protection Act (Law No. 57 of 2003) ("the Act") in the January 2015 session of the Diet (Japan's bicameral legislature).
The Policy Outline was open for public comment until July 24, 2014. This is the first amendment to the Act in the more than 10 years since the Act's original enactment in 2003 and its full enforcement beginning in 2005.
While we will have to wait for a bill to be submitted to the Diet early next year for further details of the amendment, this Commentarydescribes the main points set out in the Policy Outline that will significantly affect the business practices and compliance programs of Japanese companies, as well as foreign companies, engaged in the collection and use of personal data in Japan.
The remarkable progress in information and communications technology and the rise of "big data" business. More than 10 years have passed since the enactment of the Act. During this decade, remarkable progress in information and communication technology has been made at an unexpectedly rapid pace, making it possible to store and analyze "big data,"—namely, large amounts of data sent to and collected from personal computers, smartphones, car navigation systems, etc.—at a much lower cost than before. Utilization of such data brings companies valuable information regarding the needs and tastes of consumers for use in the development of new products or services. The Japanese government also considers the use of IT and big data as the key to business success amidst global competition.
Despite such a need and the high value of using big data, it is said that many Japanese companies hesitate to make use of it, in particular "personal data," because of the ambiguities of the rules under the Act and consumers' growing privacy concerns. The conflict between the usage of big data and privacy is best illustrated by the JR Suica incident. A Suica card is a rechargeable smart card that can be used as a fare card on trains in Japan. The card can also be used for shopping at a number of stores. In late June 2013, East Japan Railway Company ("JR Eas"t) decided to sell the processed travel record information and purchase history recorded on customers' Suica cards to a third party. JR East planned to delete each person's name and telephone number before transferring the information so that the third-party recipient could not identify the person. A number of objections and opposing views were raised by consumers, saying that identification could be possible, if combined with other data and information available on the internet and social networking services ("SNS"), and that privacy would be infringed even if there were no violation of the Act. Consequently, JR East abandoned the plan on July 25, 2013.
Under such circumstances, it has been recognized that the Act needs to be amended to set out a new system to facilitate the utilization of personal data while protecting the privacy of individuals.
Globalization. As information and communication technology advances, more and more personal data is distributed across national borders, especially through cloud services. To cope with such changes, reviews of privacy rules have been conducted on a global basis, including, inter alia, revisions to the Organization for Economic Cooperation and Development ("OECD") privacy guidelines of July 2013, approval of the draft General Data Protection Regulation by the European Parliament's plenary session in March 2014 in the European Union,and publication of the "Consumer Privacy Bill of Rights" in the United States in February 2012.
Given such a global movement, the Policy Outline recognizes that the Act needs to be reviewed from the perspective of international harmonization.
Major Matters to Be Revised
New framework to allow utilization (transfer) of personal data without consent. Under the Act, with some exceptions, the transfer of Personal Data requires the advance consent of the person (Article 23, Paragraph 1). The Policy Outline states that a new system will be introduced under which Personal Data, that is processed into data with a reduced identifiability of persons, can be transferred without the consent of the person. In other words, if the Personal Data is anonymized, pseudonymized, or otherwise processed so that there is a reduced possibility that the person can be identified, consent of the person will not be required for the transfer of such data.
It is well taken that even with such a reduced possibility of identifying the persons, the persons may be identified and personal rights may be violated if the data is not handled properly. Accordingly, necessary measures will be taken to define the proper handling of the data. Such measures will include, for instance, the prohibition of a data recipient from any attempt to identify persons through analyzing their data in combination with other data.
The question is what measures will suffice to "process the Personal Data into data with a reduced possibility of individuals being identified." The Policy Outline has not provided any clear guidance for judging whether a certain method is sufficient or not. Rather, the Policy Outline states that such processing measures should not be decided uniformly because of the variety of data and usage thereof. Accordingly, under the proposed new framework, such measures will be decided by self-regulatory rules to be established by nongovernmental organizations. A third-party organization equivalent to the privacy commissioner in other nations (which will be established as further explained below) will then certify such nongovernmental organizations and self-regulatory rules.
Expansion of scope of protection as "personal information." In the Act, "Personal Information" is defined as "information about a living individual which can identify the specific individual by name, date of birth, or other description contained in such information (including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual) (Article 2, Paragraph 1). As this definition shows, whether the person can be identified via the information is the key criteria for distinguishing between the personal information to be regulated under the Act and other information. Accordingly, such information as a mobile ID, IP address, location information, etc., does not fall under the definition of "Personal Information" under the Act. However, there is a growing concern that privacy rights may be at risk if such information is not properly handled, as with rapidly developing information technologies such information could be easily linked with other information and the person identified. On the other hand, from the perspective of business, companies are often reluctant to utilize personal data because of such consumer concern over their privacy, and the unclarity in interpreting the Act.
To resolve the above issue and remove the barriers to the utilization of personal data, the Policy Outline proposes to clarify personal data to be protected and lay down regulations as necessary. Information "pertinent to the physical characteristics of individuals, such as fingerprint recognition data and face recognition data" is expressly stated in the Policy Outline as additional information to become protectable. However, it is not clear what other information will be additionally included in the scope of personal information. In light of the discussions made in the personal data study council, it is possible, though yet uncertain, that identification numbers such as passport numbers, driver license numbers, IP addresses, and mobile terminal IDs may become protectable.
As the scope of protectable information may vary with time, due to multiple factors such as the development of information and communication technology and the individual's subjective view, it is suggested that only a general framework will be laid down by law and that specific details will be provided through a Cabinet Order, Ministerial Ordinance, Rules and guidelines.
Definitions for "sensitive information" or "sensitive data." The Policy Outline states that the amendment will define information regarding race, creed, social status, criminal record, past record and other information that may cause social discrimination as "sensitive information," and will consider the careful handling of such sensitive information, including a prohibition.
Multistakeholder process and self-regulation rules. In order to balance the promotion of the utilization of personal data with the protection of personal information and privacy, the Policy Outline states that a framework for private sector-led self-regulations will be established based upon the concept of a multistakeholder process, which is defined as "a way of laying down regulations and such in an open process in which relevant parties participate, such as the Government, business entities, consumers, and experts." For instance, it is expected that measures to process Personal Data into data with a reduced identifiability of individuals will be laid down by self-regulatory rules taking into account each business practice and characteristics. Further, a third-party organization (as explained below) will certify such self-regulations and nongovernmental organizations.
Establishment of third-party organization (Privacy Commissioner). At present, the Act is enforced by the minister of each ministry with the authority to supervise its particular business sector. As a result, each ministry establishes ministerial guidelines for the interpretation and enforcement of the Act, and as of today, 40 ministerial guidelines for 27 business sectors exist. Accordingly, each company needs to analyze and identify which ministerial guidelines apply to its business. It is also possible that more than one guideline applies to a particular company. As a result, the Act has not been uniformly or strongly enforced.
Following centralized enforcement systems adopted in other nations, the Policy Outline sets out that the government will establish an independent third-party authority organization to effectively enforce the laws and regulations, as well as self-regulatory rules. It is planned that the Specific Personal Information Protection Commission, prescribed by the so-called "The Number Use Act," will be restructured to form the third-party independent organization.
Furthermore, it is expected that the third-party organization will be given stronger powers and more functions than each minister currently has under the Act. Currently, the minister of a relevant ministry may take such measures as (i) advice, (ii) request for report, (iii) recommendation, and (iv) order. In fact, during the eight-year period from 2005 to 2012, there was no case where an order was issued, and only seven where recommendations were issued.
In addition to the above powers and functions, it is planned that the third-party organization will be able to "give instructions, perform onsite inspections, [and] make public announcements." Furthermore, the third-party organization will perform the duties of advance consultation, handling of complaints, cooperation with enforcement authorities of other nations, etc. It is expected that the introduction of "advance consultation" will provide companies with more foreseeability when they start new businesses using the personal data.
Globalization issues. Regarding extraterritorial application, the Act is generally interpreted to not apply to foreign entities. However an increasing number of cloud service providers and other foreign entities collect and use the personal information of Japanese residents. Therefore, the mere domestic application of the Act is considered insufficient to protect the privacy rights of people residing in Japan. For this reason, the Policy Outline states that the definition of "Entity Handling Personal Information" to which the Act applies will be revised to adequately enhance the scope of the Act's application to include foreign entities. Further, in order to ensure the proper handling of personal data by such foreign entities, the amendment will provide a legal basis for the third-party organization to provide foreign enforcement authorities with information useful for their enforcement under the pertinent law and regulations.
While the transfer of Personal Data is regulated under the Act, there is no additional requirement or regulation for the extraterritorial transfer of Personal Data. Accordingly, there is no way to regulate or prohibit the transfer of Personal Data to a country where the protection of Personal Data is insufficient. To resolve such an issue and harmonize the level of protection in this regard with many other jurisdictions, the Policy Outline states that if the entities handling personal information transfer Personal Data to a foreign entity, such entity will be required to take necessary action, such as conclusion of a contract requiring the recipient of such Personal Data to take the necessary and appropriate actions for the safe management of the Personal Data. Further, there are various types of transfer of Personal Data, for instance, (i) transfer to a foreign group company, (ii) transfer to a foreign service provider, (iii) joint use with a foreign entity, (iv) transfer to a nonaffiliated third-party entity, (v) transfer associated with business transfer or merger, and (vi) re-transfer to an entity of a third nation. The Policy Outline states that the government will consider both the details of necessary actions and a framework for ensuring their effectiveness depending upon the types of data transfer.
According to the Policy Outline, it is planned that a bill to amend the Act will be submitted to the Diet in or after January next year as early as possible, and that the third-party organization will be established as soon as possible after enactment of the amendment.
The revisions will significantly impact not only Japanese companies but also foreign companies that collect and use the personal data of Japanese nationals. In particular, given that the amended Act will expressly provide applicability of the Act to foreign entities, it is important to continue watching the development of these revisions in order to analyze and examine its impacts and determine how businesses should comply with the new rules.