“Big Data” Raises Big Legal Questions in Japan
New IT Strategy Requires New Laws
The administration of Prime Minister Abe Shinzō is striving to implement a new IT strategy for its information and communications technology policies. Toward that end, the government’s Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Society, or IT Strategic Headquarters for short, has begun formulating the necessary new legislation. The IT strategy sets the goal of turning Japan into one of the world’s leading IT nations. It also calls for an “open data” strategy allowing government information to be used by the private sector as well as a “big data” strategy related to the use of the vast quantities of information arising from use of smartphones and other devices.
A key challenge in implementing these measures will be to maintain security and safeguard privacy. In order to address those issues, the government, led by the IT Strategic Headquarters, is drafting a revision of the Protection of Personal Information Act, or PIPA, to be submitted during the ordinary session of the Diet in 2015.
The Diet passed PIPA in 2003 as the first comprehensive law of its kind in Japan. Laws were in place prior to that to protect the digital data that government bodies held on individuals, but with the 2002 implementation of the Resident Basic Register Network System, which digitized the Basic Resident Registers of municipal governments nationwide, general rules were drawn up with regard to the protection of personal information. The rules were intended to allay privacy fears regarding the indications that the nationwide computer network to share data between government agencies, called “Jūki net,” was to be linked to a national identity numbering system with unique ID issued to citizens of Japan. The rules were meant to reassure the public that privacy would be fully safeguarded, thereby calming fears about private-sector usage of personal information.
Overheated Privacy Concerns
The fundamental idea behind PIPA is that no use of personal information will be made without prior notification to the individual involved and that the information will not be passed to a third party without permission. The law was said to be an application of the privacy protection systems introduced in Europe. A number of unforeseen problems arose after its implementation, though. Because of the extreme reaction on the part of both citizens and the business world, cases arose where apartment buildings and schools stopped listing the names of residents and students and hospitals stopped posting patient names outside hospital rooms.
In July 2014, a scandal emerged when personal information on elementary school children and their parents held by Benesse Corporation, a major correspondence education and publishing firm, was found to have leaked. In a sense, this scandal was the outcome of the inability to obtain information on students and their parents from Basic Resident Registers, thus leading to backdoor selling of information by name-list traders, who compile or obtain databases of personal information and sell it to marketers or other interested parties.
We can see, then, that although PIPA helped raise privacy awareness among Japanese citizens, the mistaken interpretations of the law and overzealous applications of it have unquestionably had a detrimental effect on economic activity and productivity.
Data Analysis Reaches New Heights
This is the context in which the debate over “big data” has emerged. The term was originally used during the era of mainframe computers to refer to a quantity of information that was too large to be processed. But with the recent advances in information technology, the term has come to refer to massive quantities of data that can be effectively analyzed to benefit society or economic activity. At the heart of this new trend is the emergence of new information technology capable of storing and sharing massive quantities of data via the Internet.
Particularly noteworthy are the parallel processing technologies MapReduce and Hadoop, developed by US-based IT giants Google and Yahoo, respectively. These technologies have made it possible to collect and analyze unstructured information, such as social-media and sensor data.
But the existence of PIPA has raised issues related to the use of this big data. The IT industry and other business sectors in Japan, like their counterparts in the United States, view the processing of big data as useful to economic activities, but current Japanese law does not allow for widespread use of the data. The move underway now to revise the law, led by the IT Strategic Headquarters, is an effort to bring it into line with the changes that have occurred over the past decade or so in the ways that personal information is being used.
The spread of new portable devices like smartphones has greatly expanded the “gray zone” of data beyond personal names and addresses, such as terminal IDs, email addresses, and face-recognition data. The task that the IT Strategic Headquarters has set itself is to determine what rules are needed to regulate the large-scale collection and diverse use of this information as big data.
Dissent from Corporate Leaders
In attempting to determine what new rules are needed, Japan’s IT Strategic Headquarters set up an expert committee that in June 2014 came up with an initial plan for future uses of personal data.
This proposal calls for creation of a system to determine how government bodies and companies can use personal information, based a new law that will regulate the gray zone of personal information other than names and addresses. This information falls into two categories, tentatively named “low personal specificity data,” which can be used without receiving permission as long as anonymity is maintained, and “semipersonal information,” which includes such information as terminal ID and facial recognition data.
Already, though, corporate leaders have begun to voice opposition to this proposal, including those in the Japan Association of New Economy, headed by Mikitani Hiroshi, the president and CEO of Rakuten Inc. These critics noted that the introduction of slapdash regulations in a sector characterized by rapid technical innovation could run counter to global business trends and hinder further innovation.
In the wake of this criticism, the IT Strategic Headquarters revised its initial proposal so that each industry would first voluntarily establish its own rules, after which a third-party body would gauge the suitability of the systems and standards proposed. This body was originally proposed to extend the operations of the Specific Personal Information Protection Commission, established at the time of the introduction of the “My Number” system that assigned each citizen a common number for social welfare and taxation procedures. This body is expected to take shape if legislators pass the amendment of the Act on the Protection of Personal Information.
The Need for a National Consensus
Three major tasks remain before the legal system can be revised. First, Japan must form a national consensus regarding the use of personal information as big data.
An incident that symbolized the lack of this consensus came to light in June 2013, when it became known that the East Japan Railway Company (JR East) had partnered with Hitachi, Ltd. to gather and anonymize passenger data collected from the railway’s Suica contactless smart card, with an eye to then selling this big data to third-party companies. This revelation sparked a reaction among JR East customers concerned about privacy infringement.
Some said that JR East had not taken adequate steps to anonymize the data. The company was not engaged in any illegal activity as long as it was complying with the Act on the Protection of Personal Information, though. The reason that JR East came under such harsh criticism was that its business partner Hitachi suddenly announced a new service that would make use of the data, raising questions about whether it was operating in good faith.
Although the data was anonymized, the fact that it would be used for commercial purposes clearly upset some customers. This case points to the need, first of all, to explain to customers whose information is provided to third parties what are the reasons for utilizing this information, in both social and business terms, and how the use of big data will benefit them.
Taking Into Consideration Overseas Rules
The second need concerns how to establish fair competition among foreign and domestic firms. The European Union has issued a directive on safeguarding privacy that forbids importing data on individuals from EU countries to any country whose own standards of privacy protection are not on par with those of the EU.
Therefore, even if the Japanese government succeeds in creating a new law on private information and establishes a third-party regulatory body, if the EU determines that the level of protection in Japan remains inadequate, Japanese firms will be unable to conduct business on an equal footing with firms based in EU countries. If Japanese companies cannot globally manage their information on local employees and customers, this will place them at a disadvantage against their European rivals.
When it comes to the search engines, social media sites, and security software that are now so important to network information services, countries like China and South Korea have developed their own domestic offerings. Japan, meanwhile, still relies heavily on the United States. Because information on Japanese consumers is handled by firms like Google, Apple, and Amazon, Japan is not able to control its own data. If concerns arise in Japan about those firms violating customer privacy, those concerns may not be adequately addressed because of differences in legal jurisdiction.
The Role of the “Third-Party Body”
The third and final question to address is the role of the third-party body. The current discussions within the IT Strategic Headquarters envisage the body’s role as evaluating the voluntary standards created by the private sector and holding screenings to address problems that arise. But giving this body too much authority could stifle private sector activity and impede the free utilization of data.
In the case of the United States, there is no comprehensive law in place to protect
personal information such as Japan's PIPA. Instead, industries are required to institute their own rules; when problems arise the Federal Trade Commission can issue harsh punishments. Japan probably would not be able to easily adopt a similar approach due to differences in culture and public opinion. The key point, in any case, is the need to build the environment necessary for the use of big data in a way that is well balanced with policies that safeguard personal information.
The outline for revisions of the personal data usage system formulated by the IT Strategic Headquarters calls for safety measures for consumer data provided to a third party, including the requirement that those handing over the information anonymize the data. The outlines strictly forbid the receipient to compare it to other data in order to verify the identity of customers. From the perspective of safeguarding privacy, such measures are natural, as well as an important way to craft the sort of environment where people can feel peace of mind about the provision of their personal data while still permitting that big data to bring tangible benefits to everyone.
The economic benefits of the use of big data are estimated by the government to be around ¥7 trillion. And these benefits will extend to a wide range of areas, including medical care and transportation as well as research and development. Some private-sector estimates even claim that the economic benefits will exceed ¥20 trillion.
The US government, with its sights set on these benefits, has been making a concerted effort to assist the training of more data scientists and to support investment in technical developments related to big data. Japan cannot sit idly by. Now that the Abe administration has been making steady progress toward new IT and big-data strategies, we can hope that big data will be utilized to strengthen Japan’s global competitiveness and improve the quality of citizens’ lives.
(Original article in Japanese published on October 17, 2014. Banner photograph: A woman trying out facial recognition technology at a trade show © Jiji Press.)