Gathering Personal Information in Big Data Starts in Earnest from Amended Personal Information Protection Act

October 25, 2017

Gathering Personal Information in Big Data Starts in Earnest from Amended Personal Information Protection Act

Hidetomo Sasaki
Professor, School of Law,
Meiji University
 
In May 2017, the Amended Personal Information Protection Act came into full entirely enforcement. It is said that personal information will be gathered in big data and that its utilization will be promoted, and many people may feel uneasy about that. Let’s newly verify the intention of that amendment and its details.

The Eye-catcher of the Amendment to the Personal Information Protection Act Is “Anonymously Processed Information”

There are three points of amendment to the Personal Information Protection Act that came into full enforcement in May. The first one is that the definition of personal information is clarified from the point of view of utilization. In the background to that, during the period of about 10 years from 2005, when the Personal Information Protection Act was enforced for the first time, to this day, overreactions have been seen in the operation of the Act. For example, it was thought that using personal information was not permitted at all, and cases where a list of members of a neighborhood or graduates association was not drawn up have increased. However, the Personal Information Protection Act has a side of protecting individuals’ privacy and rights, and another side of there being no problem with using personal information as long as it is used in accordance with the rules. As that other side of the allowance of using personal information has not penetrated into ordinary people, that side is clarified in this amendment. To begin with, information previously defined only as personal information is classified into three categories of “Special care-required personal information,” “Personal Information,” and “Anonymously Processed Information.” Special care-required personal information refers to individual’s information, such as his/her criminal or medical record or social status, whose handling requires special care so as not to cause discrimination or prejudice against that individual. Special care-required personal information requires proper management and can be said to be information that may not be generally used. Personal Information refers to an individual’s address, phone number and the like and may be used with that individual’s consent in such a case as drawing up a list of names. Anonymously Processed Information means personal information processed to be incapable of identifying a specific individual through it and is information for active utilization. For example, if the personal information of Mr. X who is a man of 45 years of age and whose address is at X-X, Shakujii-machi, Nerima-ku, Tokyo and whose place of work is at X-X, Kanda-surugadai, Chiyoda-ku, Tokyo is processed to the personal information of an anonymous person who is a man at his forties and resides in Nerima-ku, Tokyo and works in Chiyoda-ku, Tokyo, it has become allowable to provide the latter personal information to a third party without Mr. X’s consent and to utilize that personal information widely in marketing or product development. In addition, it will become allowable to utilize Special care-required personal information by processing it properly to Anonymously Processed Information. For example, information about medical histories will become important medical information. In January 2016, in cooperation with the national government, a system of the “national cancer registration” was started in order to gather data on persons diagnosed with cancer, for totaling, analysis, and management. Such data can be expected to be utilized for treatment and living improvement guidance by processing them in a state of anonymity. Although whether or not personal information may be used was previously unclear, personal information is thus defined through proper classification. Then, protection of personal information has been strengthened, and it has become allowable to utilize personal information in various forms as big data.

The second point of the amendment is that the Personal Information Protection Commission (PPC) has been newly established. In former times, there used to be the Specific Personal Information Protection Commission (SPPC), which was an organization regulating the use of individual numbers. The PPC established through reorganizing the SPPC regulates general personal information including individual numbers. For example, the PPC provides guidelines on processing for Anonymously Processed Information as mentioned above. In the background to the new establishment of such a specialized agency lies the international consensus that an agency specializing in protection of personal information is needed. The EU and other countries requested Japan to establish a third party agency, and Japan established the PPC in response to that request. This leads to the third point of the amendment: Japan is presently actively pushing ahead with establishing common rules for personal information protection within international frameworks such as the Asia-Pacific Economic Cooperation (APEC). In the present age in which world globalization has advanced and multinational corporations are active, personal information crosses borders in various forms; personal information cannot be protected only within Japan. In order for Japan to assume the leadership in establishing international rules, amendment made by making sure of international opinions and trends was needed.
 

Establishing a System in Local Governments and Companies Is Needed for Proper Operation

The law to protect and utilize personal information has thus been developed. After this, it becomes important to establish a system for operating that law properly. Among others, organizations which hold a lot of personal information are local governments, and the degree of enthusiasm for information management varies considerably from municipality to municipality. Highly conscious municipalities provide staff training in information management and have established an organizational system, while not highly conscious ones have not highly conscious workers and are in a state of being incapable of taking information security measures just as they wish. If any information were to leak out from such a municipality, detection of that leak itself would be late, and cases where personal information was stolen have actually occurred. However much security is strengthened, information may leak out. Then, a system is required to limit the number of pieces of information so leaked to 50 without increasing that number to 100 or 200. It is important for municipalities to provide training and education for themselves, raise consciousness, and become able to take quick measures in an emergency without leaving information management to experts for reason of not being highly conscious. This applies not only to local governments but also to companies that have customer and other data. In former times, companies that have not less than 5,000 pieces of personal information were obligated to protect information, but after this amendment, companies that have less than 5000 pieces of the same are also obligated to do so. The PPC gives seminars and advice to small and medium-sized enterprises that have not worked on protection of personal information. You should inquire at the PPC by all means.

In addition, each local government has established its own ordinance on personal information protection. As there are about 2,000 such ordinances in Japan, there has arisen a problem called the 2,000 ordinances problem with personal information protection in which ways of protecting personal information widely vary. For example, as a local government that experienced a natural disaster did not make public the names of the missing for reason of its personal information protection ordinance, the site of the rescue operation was thrown into confusion. At the time of the Great East Japan Earthquake, as hospitals suffered damage and medical records were washed away, patients tried to have medicine dispensed based on records on statements of medical treatment fees for national health insurance, but some municipalities did not provide information for reason of personal information protection. Similarly, municipalities made a rough estimate of the number of temporary houses to be constructed for the reason that personal information could not be used, and then some municipalities had a large number of temporary houses left over and others were short of temporary ones. These problems are related to the system of local autonomy and cannot be necessarily unified by the Personal Information Protection Act. However, for that very reason, I hope that municipalities will voluntarily put emphasis on providing training and education to their personnel. For example, the Personal Information Protection Act provides that personal information may be used to maintain the lives, bodies, and property of citizens, and if a person understood its intent, the person, I think, could judge to what to give precedence in the cases mentioned above even though such precedence is not explicitly prescribed in the ordinance. If it was assumed that the national government or a ministry or agency needs to draw up a manual to give instructions on what to do as the case may be, it would come into question in what area in the world local governments will display their autonomy.
 

Dispelling Citizens’ and Consumers’ Distrust Is Important

The Amended Personal Information Protection Act has a side of strengthening personal information protection, and another side of promoting utilization of personal information. Anonymously Processed Information will be mainly utilized. In other words, if personal information is utilized through a procedure in accordance with the law, there is little fear that individuals’ information or privacy will be exposed to risk. However, no matter how much security is strengthened, it would be difficult to do away with damage from leakage of personal information. As mentioned above, for municipalities and companies, an important issue is to put emphasis on establishing a system of risk management and providing education to persons in charge in order to minimize damage. In addition, it is important for companies to clearly show an explanation and cautionary note of management and utilization of personal information when they obtain personal information from their customers. Dissipating citizens’ and consumers’ distrust will lead to relieving overreaction to personal information protection and expanding proper utilization of personal information.


* The information contained herein is current as of October 2017.
* The contents of articles on M's Opinion are based on the personal ideas and opinions of the author and do not indicate the official opinion of Meiji University.


Profile

Hidetomo Sasaki

Professor, School of Law, Meiji University

Research field:
Law informatics, cyberlaw, and foreign law (Anglo-American law)

Research themes:
An influence which the development of information technology has on American law, a comparative study on an influence which the progress of information and communications technology has on the legal system in Japan and the US, a study on democracy and the media by a comparative method, and a study on protection of privacy and personal information by a comparative method

Main books and papers:
◆“Internet jono shiteki jijitsu kohyo gata privacy shingai to America gasshukoku kempo shusei daiichi jo” (Privacy Invasions by Making Public Private Facts on the Internet and the First Amendment to the United States Constitution) The collected papers on law Vol. 89 No. 6 (2017)
◆“Beikoku no Network churitsu gensoku to rempo kempo shusei daiichi jo” (Principle of Network Neutrality in US and the First Amendment to the US Constitution) NBL Extra Number 153 (2015)
◆ “Beikoku no denshi media kisei no kihon rinen to chiiki level no hosokyoku shoyu kisei” (Basic Idea of Regulation of Electronic Media in the US and Regulation of Owning Broadcasting Stations at a Local Level) The information and communications policy review No. 9 (2014)
◆“Digital jidai no hoso media kisei to America gasshukoku kempo shusei daiichi jo” (Regulation of Broadcasting Media in the Digital Age and the First Amendment to the United States Constitution) The Bulletin of the Institute of Social Sciences, Meiji University No. 51 (2013)
◆“Hin-i ni kakeru hyogen to internet” (Expressions Lacking Dignity and the Internet) Jurists Extra Number 213: Selection of 100 Precedents of American Law (2012)
◆“Publicity ken to America gasshukoku kempo shusei daiichi jo” (Publicity Right and the First Amendment to the United States Constitution) The collected papers on law Vol. 84 Combined number for 2 and 3 (2012)
◆“IT Business ho nyumon” (First Book in IT Business Law) (a joint work published by TAC Co., Ltd. in 2010)
Many other books and papers

Page Top

Meiji University

Copyright © 2015 Meiji University. All Rights Reserved.