The personal information held by private-sector companies and other entities is being discussed within the framework of the Act on the Protection of Personal Information. According to Article 2 Paragraph 1 of the current Act on the Protection of Personal Information, the term “personal information” means “information about a living individual which can identify the specific individual by name, date of birth or other description contained in such information (including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual).” Personal information cannot be provided to a third party without the consent of the individual, with the exception of cases in which there is an opt-out. Meanwhile, information that does not constitute personal information covered by the Act on the Protection of Personal Information (“non-personal information”) can be used for commercial purposes and sold. In order to discuss how this type of non-personal information is positioned as personal data, it is necessary to consider the possibility of the anonymization of personal data from various perspectives.
With the aim of clarifying the rules concerning the use of this type of personal data, the Cabinet Secretariat’s IT Strategic Headquarters started holding the Research Society for Use and Circulation of Personal Data in September 2013, which was subsequently held a total of 12 times (September to December 2013 and March to June 2014) (first chaired by Masao Horibe, Emeritus Professor at Hitotsubashi University, and subsequently chaired by Katsuya Uga, Professor the University of Tokyo from March 2014). In addition, in order to further consider the technical aspects of the use of personal data, a Technical Review Working Group (“Technical Review WG” chaired by Ichiro Satoh, Professor at the National Institute of Informatics) was established within the Research Society for Use and Circulation of Personal Data. The Technical Review WG was held a total of six times (September to December 2013 and April to May 2014. Due to my considerable research experience covering the anonymization of statistical data, I also became involved in discussions on personal data as a member of the Technical Review WG.
One of the major discussion themes of the Technical Review WG of the Research Society for Use and Circulation of Personal Data was the possibility of reasonable technical anonymization measures. The Technical Review WG reached the conclusion that a versatile technology that makes it possible to process any type of personal information so that individuals cannot be identified does not exist and that the possibility of applying technologies to process information so that individuals cannot be identified should be judged on a case-by-case basis. Furthermore, the Technical Review WG presented the concept of “pseudo personal data” (provisional name) such as facial recognition data that differs from personal information but could be used to identify individuals, as well as the concept of “data with reduced personal identification characteristics” (provisional name). In terms of data with reduced personal identification characteristics, because it is not possible to define the minimum processing method to ensure that data has these characteristics, it was pointed out that it would be necessary for businesses to adequately process this data based on their own judgment and responsibility while giving consideration to the balance between reducing the ability to identify specific individuals and the needs of the user.
In consideration of these discussions by the Technical Review WG, the Research Society for Use and Circulation of Personal Data released the “Policy Outline of the Institutional Revision for Utilization of Personal Data” (the “Policy Outline”) in June 2014. Concerning data with reduced personal identification characteristics that can be provided to a third party without the consent of the individual concerned, the Policy Outline points out the necessity of regulations and self-regulation by private-sector organizations that prohibit the identification of specific individuals, as well as the importance of the adequate enforcement of institutions through the establishment of a third-party organization.
The Ministry of Internal Affairs and Communications is currently holding the Research Society on Personal Data Held by Government Organizations to discuss the personal data held by government organizations, independent administrative institutions, and other bodies, as well as the availability of this data. Meanwhile, discussions concerning the revision of the Act on the Protection of Personal Information based on the Policy Outline will be likely to become more advanced as efforts are made to further utilize the personal data held by private-sector companies. I will continue to watch these development in the use of personal data in the future.