Tomorrow, March 3nd, at OpenID BizDay #2, we will be hosting a roundtable discussion on "Practical Privacy Considerations for Companies" with guests Professor Suzuki Masatomo of Niigata University and Professor Takagi Hiromitsu of AIST. As the moderator, I hope to be able to ask various questions and bring to light how companies should deal with privacy issues in their activities. By the way, the reason why we at the OpenID Foundation Japan are doing this is because OpenID is a framework for obtaining consent and providing attributes.
The schedule is not set in stone and is subject to change, but for now, I plan to ask the following questions. Just looking at this, you're probably excited, right?!
By the way, this is a paid event.Click here to apply for the event.
Q.1 There seem to be many related laws, such as the Personal Information Protection Act (scheduled for revision this year), the Criminal Code, the Consumer Contract Act, the Law of Obligations (scheduled for revision this year), and the Tort Law, but please tell me about their relationships. Even if the Personal Information Protection Act is said to be good, there seem to be quite a few other laws that say it is bad, so even if you follow the Personal Information Protection Act, it doesn't seem like an excuse. Please tell me about that as well.
For example, although it seems that this was not included in the recent revision, even if a change in purpose is allowed, disadvantageous changes are prohibited under the Consumer Contract Act, and the same goes for the Law of Obligations. If we go ahead with something just because it is OK under the Personal Information Protection Act, there are likely to be many cases where we will be caught up in other laws. For example,
- Purpose of use: Crimes related to illegal electromagnetic records, Telecommunications Business Act, Radio Act, Civil Code (obligations), Civil Code (torts), Consumer Contract Act, (METI Q45)
- Safety management related: Unfair Competition Prevention Act
When considering legal compliance, it is necessary to take all of these into consideration. We would like to hear an explanation of the relationships between these issues.
Q.2 I think that the goal of a company in doing business is to increase its brand value and have its products and services more highly evaluated, rather than worrying about laws and regulations, but there seems to be a big gap between that and the current discussions about the Personal Information Protection Act. Do you have any opinions on why this is the case?
Companies that are expanding internationally must look at not only domestic laws but also the laws of other countries. This is quite difficult, isn't it? Furthermore, when actually doing business, it is not enough to just follow the law. What is important is to win the trust of consumers, in other words, to establish a brand. I think that following the law is a given, and it is something more than that. In fact, the international standards state what should be done to meet that level, but when I listen to the discussions on the street, it seems like that is completely missing something. What is the situation in this area?
Q.3 What is a "specific individual"? I have heard from various quarters that this is an area where the recent amendment has been a major struggle, and that the scope of "personal information" is being limited as much as possible. So, could you please explain this concept in a little more detail?
At this point, we might jump to an explanation of the linking concept according to ISO/IEC 29100.
Q.4 Does it make sense for companies to narrow the scope of "personal information"? If we consider the preservation of brand value, narrowing the scope of considerations seems like it would actually increase the risk.
This argument of "wanting to limit as much as possible" is understandable if we are only considering compliance with the Personal Information Protection Law, but as mentioned above, that is not good enough, and I personally feel very uncomfortable about it. It is completely the opposite of the ISO/IEC 80 Privacy Framework, which was created by companies and government officials from nearly 29100 countries. It defines personally identifiable information (PII) very broadly as "any information that (a) can be used to identify the person to whom it pertains, or (b) can be directly or indirectly linked to that person" [1], and even uses an entire section to describe how to expose hidden personal information. On top of that, it says that you should evaluate the impact on privacy that occurs depending on how you "use" that "personal information" and take measures according to the risk level. For example, sharing business card information for contact within a department is low risk, so moderate measures are sufficient, whereas health consultation information that you have been entrusted with should be taken seriously. If you even consider the damage to brand value, I think this is much more practical.
Q.5 What should be the disclosure, notice and consent procedures prior to changes to the terms and conditions?
Google has been announcing and notifying users for months, but on the other hand, there are companies that just change their policies. However, it is mostly the former that gets criticized, and I feel that there is something unbalanced about this. In this regard, how long should companies start to thoroughly implement the changes before they actually happen?
Q.5 It seems that a new term, anonymously processed information, will be introduced this time... "Anonymous processing" that does not require opt-out seems like it would be an even more limited form of statistical processing, but it seems like that would be OK under current law... Could you please explain in more detail?
I feel a bit uncomfortable with the background to this story and the discussions that were taking place. It seems to start from the so-called FTC 3 requirements, but I feel like there's a big misunderstanding. In the first place, it's not about being able to provide information to any place, and the background to that is Article 5 of the FTC Act, which says that you have to accept these three requirements in order to make it possible for both the data provider and the recipient to activate it. In the first place, the first condition, "de-identification," is something that has been said many times before, that "there is no such thing as safe de-identification that can't be re-identified," so it doesn't matter if it's not technically possible, and the meaning is that Article 3 of the FTC Act can be activated by having them declare that they have done it, and by having them declare in the second and third requirements that they will not re-identify themselves or allow the recipient to do so. Even if you talk about it in Japan, where Article 2 of the FTC Act doesn't exist. If they do it this way, they should amend the Antimonopoly Act to allow the Fair Trade Commission to intervene.
Q.6 Regarding the cross-border movement of data, I've heard that it would be dangerous for a global company to bring data of employees living in the EU to Japan and use it to evaluate personnel in Japan. What do you think about this? What can be done to ensure safety?
Well, we can just transfer the data to the EU and do personnel evaluations in the EU. Since we already have EU branches, we can just make them our headquarters, so some say it doesn't really matter to the company.
Q.7 I heard that the revised Personal Information Protection Law states that "when personal information is provided to a third party, both the provider and the recipient will be required to record the information." But how far should we go?
Considering practical matters: For example, let's say attributes are linked using OpenID Connect / OAuth. The IdP side should record the destination of the attributes. The RP side should also record them in principle. However, after that, it will likely end up being inserted into a database regardless of the route, and the RP may even receive new information directly from the person in question along the way. Then, it will no longer be clear where it came from or why, so this system will likely require quite a bit of modification. Well, this is a typical example of how not doing privacy by design can be extremely costly later, and even the ISO/IEC 29101 Privacy Architecture Framework says to design this properly at the very beginning...
[1] SOURCE: ISO/IEC 29100. 2.9 PII = any information that (a) can be used to identify the PII principal to whom such information relates, or (b) is or might be directly or indirectly linked to a PII principal