Draft rules and regulations to flesh out last year’s amendment to the law on protecting personal information have been disclosed for public comment, waiting to be formally approved by the Cabinet this fall for implementation as early as next spring. That will set the stage for the amendment’s goal of facilitating greater use of data on people’s behavior accumulated through electronic transactions — ranging from shopping history to records of travel on public transportation — for commercial purposes while tightening the rules for protection of privacy information. The bottom line should be that people’s concern for their privacy must be eliminated in the commercial use of such data.
Expectations are high for businesses to tap into “big data” — massive volumes of digital information on people’s everyday activities, including internet searches and their GPS-located movements — to analyze the data for marketing and possibly generate new demand. But public wariness and caution remains over the commercial use of such information. In 2013, East Japan Railway Co. came under fire over revelations that the railway operator had sold to a third party data culled from its customers’ IC passes — showing the movements of train passengers — even though the sale was not illegal since information identifying the pass holders, such as their names, had been deleted.
The amendment enables parties that handle people’s personal information to provide the data to third parties without consent of the people if it has been scrubbed to ensure their anonymity. Rules are now being set on what specific information must be removed before the data are provided to third parties so individuals won’t be identified.
Advances in information technology have expanded the range of information that can be used to identify individuals, including DNA, fingerprints, facial features, irises, voiceprints and even the way people walk — bodily features now used in biometric authentication. Along with people’s names, birth dates, addresses, phone numbers and numbers assigned to their driver’s license, passports and insurance cards and so forth, such information needs to be deleted from the data. These rules will need to be constantly updated to keep up with future advances in technology that could identify individuals from other diverse sets of information.
Meanwhile, the amendment created a new provision for “personal information requiring consideration” that must not be obtained or provided to third parties without consent of the persons to whom the information belongs. This includes the person’s race, personal beliefs, social status, medical records, criminal history and crime victimization — which is deemed to require careful handling to avoid the person being subjected to discrimination. The draft rules added to the list results of people’s health checkups and physical and mental disabilities, as well as records of being subjected to criminal procedures such as arrest, search and indictment.
Parties that receive anonymously processed data from others handling personal information are now required to confirm with the supplier and keep records on how the information had originally been obtained. The amendment also newly provides for punishment against stealing or supplying to others private information for the purpose of obtaining unfair benefits. The provision was added in the wake of the revelation in 2014 that massive volumes of customer information at major education service provider Benesse Corp. — including the names, birth dates and addresses of children who subscribed to its service — had been stolen and sold to name-list dealers.
The amendment and the subsequent regulations will set a new framework that addresses changing business needs and fresh concerns over breaches of personal data. What it does not seem to address, however, is the concern that an overreaction to the law originally introduced in full in 2005 has led parties to restrict disclosure of personal information more than necessary — thus withholding information that should be made available for public use. Examples range from schools and communities not being able to create emergency communications networks — which require the contact information of each member. Government offices and businesses increasingly tend to withhold the names of persons involved in scandals and other incidents on the grounds of protecting their privacy. When massive floods inundated the city of Joso, Ibaraki Prefecture, last September, the municipal government would not disclose the names of residents who were unaccounted for in the disaster. Since it took time for relevant authorities to share the information about people needing rescue, searches were continued for some residents even after their safety has been confirmed.
There are also concerns that the tightened rules on criminal records might be used by public figures such as lawmakers and bureaucrats to cover up their own scandals. How to reconcile guarding people’s privacy and disclosure of information that needs to be publicly shared should be further discussed, and the government and lawmakers should consider appropriate steps to deal with the problem.