Data Privacy Protection of Personal Information Versus Usage of Big Data: Introduction of the Recent Amendment to the Act on the Protection of Personal Information (Japan).

• Author: Higashizawa, Noriko

MORE and more businesses are waking up to the importance of big data as a strategic resource. By analyzing the purchase history of its customers, a business can easily identify purchase trends and patterns. The increasing availability of cloud processing, analytics, and storage services has enabled businesses of all sizes across many industries to access big data. However, we must remain concerned both about the collection of personal data and in particular, the promulgation of data privacy laws to both protect personal data and, at the same time, promote the utilization of big data.

In Japan, the Act on the Protection of Personal Information ("PPIA") was recently amended and became effective on May 30, 2017 (the "Amended Act"). The amendments will introduce a number of changes to existing personal data protection system. The term "personal information" as used in the Amended Act, for example, has been clarified to further protect personal data and introduce more necessary regulations. At the same time, the amendments introduce the concept of "Anonymously Processed Information" to promote the use of enormous personal data (i.e., big data) collected through the development of information and communication technology ("ICT"). The Amended Act also introduces new rules in response to the globalization of data flows.

The purpose of this article is to provide practitioners with an understanding of three important changes made by the Amended Act and how these changes are likely to play out in practice. In Part I of this article, we will give a brief explanation on the newly revised definition of personal information under the Amended Act. Part II addresses and clarifies how and when big data should be treated under the new concept of Anonymously Processed Information. Part III discusses the new scheme under the Amended Act on cross-border transfers of personal information.

1. Definition of Personal Information

   1. Clarification of definition of personal information

      Under PPIA, "personal information" was defined broadly, and the scope of personal information was at times ambiguous. This ambiguity created difficulties among business operators. (1) For instance, information like personal identification numbers would not fall under the definition of personal information under PPIA in the absence of other information that could be easily used to identify a specific individual. With the development of ICT, however, there is a growing concern that privacy rights are at risk if information like personal identification numbers are not properly handled, since this type of information can now be easily linked with other information to identify a specific individual.

      To clarify the scope of personal information, the Amended Act defined the concept of "Individual Identification Codes." (2) "Individual Identification Codes," include codes, characters, letters, numbers, or symbols as prescribed in the Order for Enforcement of the Amended Act (the "Cabinet Order"). According to the Cabinet Order, Individual Identification Codes consist of two categories of codes:

      (1) Codes which a body feature of a specific individual has been converted into data to be provided for use by computers, including DNA sequence data, facial recognition data, iris pattern data, voiceprint data, gait pattern data, palm/finger vein pattern data and fingerprint/palm print data.

      (2) Codes which are assigned in regard to the use of services provided to an individual or to the purchase of goods sold to an individual, or which are stated in a document issued to an individual so as to be able to identify a specific user or purchaser, such as a passport number, basic pension number, driver's license number, individual number (so-called "My Number") and national health insurance number. (3)

   2. Regulations concerning Special Care-Required Personal Information

      The Amended Act introduces the concept of "Special Care-Required Personal Information", which broadly corresponds to concepts of "sensitive personal information" as seen in other jurisdictions, most notably in the EU and an increasing number of jurisdictions in the Asia-Pacific region. "Special Care-Required Personal Information" means personal information comprising the following data which require special care in handling so as not to cause unfair discrimination, prejudice or other disadvantages to the data holder. (4)

      The Amended Act directly designates items as "Special Care-Required Personal Information" as follows: race; creed; social status; medical history; criminal record; and history of being a victim of crime.

      In addition, the Cabinet Order (5) has designated other items to be "Special Care-Required Personal Information," including:

      * Physical/intellectual disabilities, mental disorder;

      * Results of a medical checkup, specific health guidance, medical care or prescriptions; and

      * Criminal proceedings (including proceedings under the Juvenile Act) brought against a data holder as a suspect or defendant). (6)

      A business operator must obtain the consent of the data holder in advance to obtain Special Care-Required Personal Information, (7) and the transfer of such information to a third party based on an opt-out basis is not permitted. (8)

2. Anonymously Processed Information

   Under the PPIA, securing the consent of data holders was generally required to utilize their personal information for purposes other than those specified in advance or to provide their personal information to third parties. This system ended up as one of the primary barriers to promoting the use of personal information. To address the obvious administrative problems that this rule created, the Amended Act adopted the concept of "Anonymously Processed Information" to promote the utilization of diverse and vast amounts of personal information for big data use. By so doing, the Amended Act will create new businesses and services and simultaneously to prevent violations of privacy rights. Anonymously Processed Information is not affected by restrictions like the restriction on use beyond the scope of purpose. It also imposes no particular obligations to obtain the consent of the data holder for such uses. Anonymously Processed Information can also be provided to a third party without obtaining consent from the data holder.

   1. Definition of Anonymously Processed Information

      "Anonymously Processed Information" means information relating to an individual that can be produced from processing personal information so as neither to be able to identify a specific individual by taking prescribed action nor...