The amended privacy protection law, which was fully implemented this week, aims to facilitate the use of people’s personal information, such as their shopping history, as a business tool as long as the information has been processed into anonymous data, while also tightening the rules on parties that handle personal information. Whether anonymity of the private data that gets traded is secure enough must be continuously monitored. At the same time, efforts must be made to ensure that tightened rules on the handling of personal data does not deter the disclosure or flow of necessary information in the name of privacy protection.
People’s personal information, including their names, dates of birth and home addresses, is passed on every day through the use of credit cards, IC train passes, online shopping, health checkups and so on. The revised law meanwhile allows personal information to be freely traded — without the consent of the individuals — once the data has been rendered anonymous by deleting the names and other pieces of information that identify individuals. There are demands for analyzing and using such data to develop new services and products.
Concern lingers, however, that the anonymity of such data may not be secure if it’s not sufficiently processed. Even if names and addresses have been removed, it has been pointed out, individuals may be identified by matching the data with other information available. The government must monitor whether the mechanism to ensure the anonymity of the traded personal information is working as intended.
Behind the latest amendment to the privacy protection law were a series of personal information leaks that took place after the law’s last revision in 2005. In a case involving the major education service provider Benesse Corp. that surfaced in 2014, nearly 30 million bits of customers’ private information, including names, birthdates, phone numbers and addresses were stolen and sold through name-list brokers.
The new amendment clarifies the definition of personal information to be protected, and makes it mandatory for the parties that provide and obtain such information to keep records of the exchanges and their dates. Information related to people’s physical features such as face and fingerprint recognition data were newly included as personal information. Information such as individuals’ race, creed, and medical, criminal and crime-victim history were categorized as “private information requiring consideration” that must not be provided or obtained without the consent of the individuals. Small-scale businesses that handle information on up to 5,000 customers — which had previously been excluded from the rules regulating personal information — are now covered by the amendment.
Steps need to be taken to protect personal information from abuse. But at the same time, tighter rules on the handling of such data have had the side effect of discouraging the sharing of necessary information. The last amendment to the privacy protection law caused some confusion — in an apparent overreaction to the revision — that led to schools and community organizations being unable to compile lists of emergency contact information for children’s parents and local residents. In 2015, the municipal government of Joso, Ibaraki Prefecture, would not release the names of people listed as missing in the massive flooding, citing the need to protect personal information. Local authorities made similar responses in the 2014 landslides that hit Hiroshima and the eruption of Mount Ontake, which straddles Nagano and Gifu prefectures, the following year — even though disclosing the names of people who have gone missing in disasters can aid search efforts.
In addition, police have refused to disclose the names of victims in some serious crime cases. Concern also exists that scandals and wrongdoings by politicians and government officials could be kept anonymous on the same grounds. The government needs to make sure that the tightened rules do not lead to nondisclosure or the cover-up of information that need to be publicly shared on the pretext of privacy protection.
In a statement released this week, the Japan Newspaper Publishers and Editors Association emphasized that media organizations will not be covered by the regulations on personal information when they seek to obtain such data for the purpose of news reporting — nor the sources that provide such information to the media. While people’s personal data should be protected, efforts also need to be made to stop information that need to be shared in society from being buried.