Recently, we often see headlines such as “big data,” “data utilization,” and “data collaboration.” According to the “White Paper on Information and Communication” published by the Ministry of Internal Affairs and Communications (MIC), the popularization of ICT (Information and Communications Technology) has led to the generation, collection, and accumulation of massive digital data. The report states that AI can analyze this information and use it to improve the efficiency of business processing, increase the accuracy of forecasts, and provide optimal advice, leading to the creation of new value in the real world, and that data is now being referred to as “the oil of the 21st century.”

As a result, the Act on the Protection of Personal Information needs to be in line with the actual situation and should be balanced between security and utilization. The amendment of the Act on the Protection of Personal Information in 2020 was based on this perspective, and we will provide an overview of the revision in this report.

Outline: Act on the Protection of Personal Information

The Act on the Protection of Personal Information is a law that establishes common rules for companies and organizations to ensure that personal information is handled properly and with care so that users and consumers can feel secure and make effective use of it.

The Act on the Protection of Personal Information defines “personal information” as,

・Information about a living person that can identify the specific individual by name, date of birth, etc.

・Items that contain personal identification codes (fingerprints, passports, driver’s licenses, individual number, and other characters, numbers, symbols, codes, etc. that can identify a specific individual by that information alone).

The purpose of the Act on the Protection of Personal Information is to ensure that the proper and effective use of personal information contributes to the creation of new industries and the materialization of a vibrant economy and affluent lifestyles for citizens, and to protect the rights and interests of individuals while taking into consideration the usefulness of other personal information.

Outline: Amendments to the Act on the Protection of Personal Information 2020

The “Bill for Amendments to the Act on the Protection of Personal Information” submitted to the 201st Ordinary Diet session on March 10, 2020, was passed and enacted by the Diet on June 5, 2020, and the “Amendments to the Act on the Protection of Personal Information” was promulgated on June 12, 2020. The amended law will be enforced within two years from the date of promulgation, with some exceptions. The contents of this amendment are divided into the following six themes.

(1) Rights of individuals

・Relaxed requirements for individuals’ right to request suspension of use, elimination, etc.

・Amended the method of disclosure of retained personal data so that the person can instruct the method of disclosure

・Amended the person can request disclosure of records provided to third parties

・Short-term data retained for six months or less is amended to be subject to disclosure, suspension of use, etc.

・Limit the scope of personal data that can be provided to third parties through opt-out provisions

*”Opt-in”: The prior consent of the person to whom personal information is handled to provide personal data to a third party by a business operator handling personal information.

*”Opt-out”: to be notified or made available for authentication that personal data will be provided to a third party, and to be deemed to have consented to the provision of personal data to a third party, unless the individual objects.

(2) Responsibilities of business operators

・Require reporting to the committee and notification to individuals in the event of a breach, etc.

・Clarify that personal information must not be used in an inappropriate manner.

(3) The system to encourage voluntary efforts by business operators

・Amended to allow organizations of specific areas (divisions) of a company to be certified.

(4) Measures to be taken for data utilization

・Establishment of “Pseudonymous Data” in which names, etc. are deleted

・Relaxation of obligations to respond to requests for disclosure and suspension of use, etc.

*”Pseudonymized Data” refers to personal data that has been processed in such a way that individuals cannot be identified unless it is cross-checked with other information. Confirmation became obligatory that the consent of the individual has been obtained for the provision of information to a third party that is expected to become personal data at the recipient.

(5) Penalties

・Increase in statutory penalties

(Under the current law, the maximum statutory penalty was imprisonment of up to six months, but under the revised law, the maximum penalty is increased to imprisonment of up to one year.)

・Raise the maximum amount of fines for corporations, rather than for actors.

(Under the current law, the maximum fine is 300,000 yen, but under the amended law, the maximum fine will be 1,000,000 yen)

(6) Extraterritorial application and cross-border transfer of the law

・Foreign business entities that handle personal information, etc. pertaining to persons in Japan are amended to be subject to collection of report and orders secured by penalties.

・When providing personal data to a third party located in a foreign country, provide enhanced information to the individual regarding the handling of personal data at the transferee entity.

*https://www.ppc.go.jp/files/pdf/200612_gaiyou.pdf (Excerpted from the summary document “Law for Partial Revision of the Act on the Protection of Personal Information, etc.” released by the Personal Information Protection Commission)

Based on the provision regarding the “so-called triennial review” (Article 12 of the Supplementary Provisions) established in the amended Act on the Protection of Personal Information of 2015, this amended Act on the Protection of Personal Information was subject to hearings from related organizations and experts to ascertain the actual situation and to summarize the issues. In addition, the above amendments were implemented from the viewpoint of increasing awareness of personal information, balancing security and utilization considering technological innovations, and addressing new risks associated with the increased distribution of cross-border data.

Act on the Protection of Personal Information and Data Utilization

The Ministry of Internal Affairs and Communications (MIC) expects the development of predictive and preventive services that anticipate future problems based on past data and other information and address the problem before they occur, as well as services that provide customized information to individuals through the safe and effective use of personal information and other data. In addition, the Cabinet Office has proposed “Society 5.0” as a vision of the future society that Japan should aim for. Society 5.0 is defined as “a human-centric society that achieves both economic development and solutions to social issues through a system that highly integrates cyberspace (virtual space) and physical space (real space) “

Society 5.0 is described as the following.

The Internet of Things (IoT) will overcome challenges and difficulties by connecting all people and things, sharing various knowledge and information, and creating new value unprecedented. Artificial intelligence (AI) will provide necessary information when it is needed, and technologies such as robots and self-driving cars will overcome issues such as the declining birthrate, aging population, depopulation in rural areas, and economic disparities. Through social transformation (innovation), we will break through the stagnation of the past and create a society where people can have hope, where people can respect each other across generations, and where everyone can be comfortable and play an active role.

* (Excerpted from the Cabinet Office HP “Society 5.0”: https://www8.cao.go.jp/cstp/society5_0/)

As seen above, in order to materialize Society 5.0, it is important to take measures to materialize an industrial society where new added value is created by connecting a wide variety of data, to digitally transform companies, to create a foundation for data collaboration and sharing across society, and to ensure safety. It will be important to take measures to ensure the safety of data. In line with this reality in which the use of data has become indispensable, the Act on the Protection of Personal Information takes as its basic approach the need to balance between the protection of the rights and interests of individuals and the usefulness of personal information. Based on this basic idea, the 2020 amendment of the Act on the Protection of Personal Information, from the viewpoint of how measures for data utilization should be implemented, amended the following provisions

① “Establishment of Pseudonym Data.”

*”Pseudonymized Data”: Personal information that has been processed in such a way that a specific individual cannot be identified unless it is cross-checked with other information.

② “Clarification of the rules regarding information that is expected to become personal data at the recipient.”

It is envisioned that this amendment will enable the analysis and utilization of information while decreasing the risk of infringement of personal rights, strengthening broad competitiveness. It is important to reiterate that the Act on the Protection of Personal Information is not only for the protection of personal information, but also for the creation of new industries and the materialization of a vibrant economic society and affluent life of the people through the appropriate and effective use of personal information, in order to balance between the protection of individual rights and interests and the usefulness of personal information.

Conclusion

The Act on the Protection of Personal Information is designed not only to protect the rights and interests of individuals, but also to balance the effective use of personal information. In addition, as stated in Society 5.0 by the Cabinet Office, the effective use of data is becoming indispensable to solve various issues.

Jasmy, one of the companies supported by Tokyo Token, aims to design a society where individuals and companies can freely and without stress, provide each other with data for their own benefit as well as for the common good of society, based on the basic concept of “democratization of data” in which personal data should belong to the hands of individuals. To this end, we will pursue a sense of security that allows individuals to permanently control the authority to manage and store necessary data, while at the same time providing companies with the convenience of being able to immediately and extensively utilize the data they have been granted permission to use from individuals. Finally, we’re happy to share Jasmy’s white paper on the technologies that they believe are necessary to make this society come true.

Jasmy White Paper (https://www.jasmy.co.jp/images/whitepaper.pdf)

(Reference materials and websites)

≫ Personal Information Protection Commission “Act on the Protection of Personal Information Handbook”

≫Tokyo Metropolitan Government HP “Outline of the Personal Information Protection Law” https://www.johokokai.metro.tokyo.lg.jp/

≫ Ministry of Internal Affairs and Communications “White Paper on Information and Communications 2019” https://www.soumu.go.jp/johotsusintokei/whitepaper/ja/r01/pdf/index.html

≫ Personal Information Protection Commission HP “About the Amended Act on the Protection of Personal Information 2020”

https://www.ppc.go.jp/personalinfo/legal/kaiseihogohou/

≫ Ministry of Internal Affairs and Communications HP “Promotion of ICT Utilization”

https://www.soumu.go.jp/menu_seisaku/ictseisaku/ictriyou/bigdata.html

≫ HP “Society 5.0”, Cabinet Office, Government of Japan

https://www8.cao.go.jp/cstp/society5_0/

≫ Ministry of Economy, Trade and Industry “Key Points of Data Utilization: New Value Created by Co-Creation of Data Utilization” (Japanese only)

https://www.meti.go.jp/policy/economy/chizai/chiteki/pdf/datapoint.pdf

≫Chuokeizai-sha, “2020 Amended Act on the Protection of Personal Information Q&A”