The government has released an interim draft of revisions to Japan’s personal information protection law, which is reviewed every three years.
A central feature of the draft is that it gives individuals the right to ask companies to stop using their personal information collected online, and requires those firms to comply with such requests.
Personal information on people who make use of various online services, including their names and addresses, is used widely for market research and to send them advertising. Under current legislation, individuals can ask companies to stop using this information only under limited circumstances, such as when the information is obtained illicitly.
The proposed revisions to the Act on the Protection of Personal Information would apply not only to Japanese companies, but also to major information technology firms such as Google Inc., Amazon Inc., Facebook Inc. and Apple Inc. — sometimes referred to collectively as GAFA.
The risk of personal information abuse is increasing in the current digital age, and so the establishment of rules prohibiting data from being used in ways that are against the wishes of individuals is a natural progression.
The interim draft, however, sidestepped some important issues.
First, there were no new proposals for restrictions on how users’ website browsing data could be used. Browsing data, which is not recognized by the current law as personal data, can be tapped to determine a user’s preferences, and target them with a barrage of tailored advertising. On this point, the government’s Personal Information Protection Commission said that browsing data is considered personal information when it can be linked with membership information and other such records to identify an individual. Because of this, there could be cases in which advertising is restricted based on a user’s request. But such restrictions would only be implemented on a case-by-case basis.
The draft also skipped over a decision on whether to permit the “right to be forgotten,” which allows individuals to have unfavorable information from the past deleted from search engine results.
In May last year, the European Union implemented the General Data Protection Regulation (GDPR), which has been described as the “world’s toughest” privacy legislation. Browsing data is recognized as personal information, and the GDPR acknowledges the right to be forgotten.
It is probably important not only to strengthen such regulations, but to bring more transparency to the process of how data is used and for what purposes. Discussion from a wide range of perspectives is needed.
The government will submit a final draft on revisions to the law this year after soliciting opinions, and will aim to submit a bill on the changes during next year’s regular Diet session. It is important to find a way of protecting personal information befitting an IT age, that adheres to user-oriented principles.