Protection of Personal Information and Accountability
Professor, Faculty of Global Informatics, Chuo University
Area of Specialization: Information law
What is Accountability?
Accountability is a necessary part of the protection of personal information. This may sound like a preachy lecture on being responsible when handling personal information. It is often said that most Japanese people do not understand what accountability is, and do not know the difference between the responsibility and accountability. Being accountable for something means that they have to give a satisfactory explanation about it. However, it might seem like a matter of course that when a problem occurs, the person responsible should make an explanation about the problem.
Accountability means that you're obligated to explain based on legitimate grounds how your actions and choices are appropriate, and if you fail to do so, you'll face consequences.
A legal system that requires accountability for the protection of personal information is one that requires an explanation that the purposes of use and the handling method of personal information are appropriate, and if a sufficient explanation isn't given, the business or service will be considered illegitimate and thus subject to a suspension of use or other legal sanctions. I imagine this explanation is still insufficient. It leads the reader to think that as long as they abide by the Act on the Protection of Personal Information, they're in the clear. Abiding by the law is obviously the right thing to do. However, Japan's Act on the Protection of Personal Information doesn't require businesses that handle personal information to explain that the purposes of use and the handling method of personal information are appropriate.
Accountability in Personal Information Protection Systems
The Act on the Protection of Personal Information requires that the purposes for which the information can be used be specified as explicitly as possible (Article 15), that those purposes be made public (Article 18), and that the information be used within the scope of those purposes (Article 16). If the purposes of use are to be changed afterward, or if personal data is to be provided to a third party, in principle, consent must be obtained from the individual concerned. However, as long as the business that collects the personal information only uses it internally for the purpose they have specified, they don't have to explain that it'll be used for appropriate purposes. For example, the undesired collection and use of information of individuals rarely become legal problems, and until an amendment was made to the law in 2020, individuals weren't able to demand that the use of their information be stopped, except in cases of certain legal violations, such as illegal acquisition.
Let's compare this to the EU (European Union), which is known for its strict and advanced personal data protection system. Under the GDPR (General Data Protection Regulation) that was adopted in 2016, one of the basic principles outlined is accountability for processing personal data. The processing of personal data without providing proper justification is illegal. In order to handle personal data, businesses must clearly demonstrate that the use of the information is justified (Article 6). To be considered legal, one of the following grounds for lawfulness must be met: (a) consent of the individual; (b) necessity for the performance or preparation of the contract; (c) legal obligation; (d) for the vital interest; (e) for the performance in the public interest or the exercise of official authority; or (f) legitimate interest.
Is Obtaining Individual Consent Enough?
When I explain the grounds for lawfulness outlined above, many people interpret it as just needing to obtain individual consent. It's true that as long as you have the consent of the individual, the use of their personal data becomes justified.
However, under the GDPR, consent must be clearly demonstrated to have been given by an individual who has received a full explanation and of their own free will. In addition, that individual can withdraw their consent at any time. For example, if an employer asks an employee for consent, the employee may feel uncomfortable refusing. Because of this, employers are essentially not able to use the consent of their employees as grounds for lawfulness.
Compared to this, in Japan, the consent of the individual is interpreted more loosely. For example, when a job search website was blamed for selling to companies data on the probability of job hunting students declining informal job offers, it was explained that the website had obtained consent from some students to provide their information to companies. It appears that the students have agreed to provide their information to companies that use the service to assist in recruitment activities. The Personal Information Protection Commission pointed out that this explanation isn't sufficient for providing information to third parties, but it has not been clearly determined whether such consent was valid or not. Under the GDPR, it's unthinkable that the use of personal data is justified under this kind of agreement.
At first glance, obtaining the consent of an individual seems like a straightforward solution. However, as massive volumes of personal information are collected, stored, and processed, and the use thereof diversifies, it becomes difficult to obtain detailed and informed consent clearly shown by the individual. The processing data based on consent of the individual often causes many problems.
Legitimate Interest under the GDPR and Accountability
If grounds for justification are essential and it is difficult to justify data processing with consent of the individual, it may bring about concerns that there are very few cases where personal data can be used. Even in the EU, the fact remains that the use of personal data is crucial. To address this, the GDPR provides (f) legitimate interest as important grounds for justification. It's a kind of general clause used when there is a strong need for use, even if it can't be justified on other grounds. Broad justification is recognized, given that the legitimate interest that will be gained from the use outweighs the individual's interests.
The business is required to inform the individual about the legitimate interest, and the burden of proof is on the business to demonstrate that there is a legitimate interest. It's expected that the business lets the individual know why they believe that the interests are balanced, and to make the relevant documentation available to the supervisory authorities. The individual must be able to file an objection, and if the objection is justified, the use of the personal data must be terminated.
Whether the use of personal data is considered to be in legitimate interest is assessed by taking a variety of factors into account. The business is obligated to demonstrate that the use is justified considering the nature of the personal data being handled, whether it's in the individual's interest, whether it's satisfactory to the individual, whether it poses any danger, and whether measures have been taken to ensure security. In cases where the legitimacy is disputed, the data protection supervisory authorities will make a decision.
These requirements for such comprehensive accountability are a burden on businesses. However, it paves the way for the advanced use of personal information by actively demonstrating advantages and disadvantages. The GDPR in the EU contains fairly stringent regulations, placing a heavy burden on businesses with massive fines being levied. There are concerns about some of the regulations that they could obstruct the development of information use. However, there is much to be learned from this stance of striving to realize the appropriate use of personal information by requiring businesses to be held accountable, rather than simply relying on consent.
Protection of Personal Information in the Age of AI and Big Data
The widespread use of mobile devices such as smartphones has made it easier to collect the history of the actions of individuals. The development of big data processing and AI technology has enabled the accumulation and processing of these kinds of information, and new information is constantly being created. The use of these kinds of information poses various potential advantages to society. On the other hand, these forms of technology often collect information without the users being aware of what's happening, and there is a growing concern about privacy and personal information that differs greatly from the concerns of the past.
Japan's system has allowed a high degree of freedom regarding the collection and internal use of personal information. The original purpose of personal information protection systems is to prevent or eliminate harm by restricting the use of information that goes against the will of individuals and by restricting the types of activities that cause significant harm or danger. It's a known fact that the provision of personal information to third parties and changes in the purposes of use can easily cause these problems. However, internal use could also pose danger considering that now it is possible to profile individuals with large amounts of information.
The amendments made in 2015 to the Act on the Protection of Personal Information require consent from the individual to collect and use "special care-required personal information" that may lead to unfair discrimination and other forms of unjust use. Furthermore, in the amendments made this year (2020), individuals are allowed to demand the suspension of use or the deletion of information in cases where risks are posed to the individual's rights or to legitimate interests. These amendments are aimed to introduce a system of collection and internal use of personal information that also reflects the will of the individual. However, there's currently no plan to introduce a system that requires accountability from businesses.
The importance of the use of personal information will continue to expand. There's a need to create an environment in which the beneficial use of personal information can be achieved while preventing as much harm as possible. To this end, Japan's personal information protection system must also incorporate a system that requires accountability from businesses.
Professor, Faculty of Global Informatics, Chuo University
Area of Specialization: Information law
Taro Komukai was born in Tokyo in 1964. He graduated from the School of Political Science and Economics, Waseda University in 1987. He completed the Doctoral Program at the Graduate School of Law, Chuo University in 2007. He holds a Ph.D. in Law (Chuo University). He assumed his current post in 2020 after serving as senior vice president of InfoCom Research, Inc., teaching as a guest associate professor at Waseda University, and teaching as a professor at Nihon University. Since the early 1990s, he has been conducting a broad range of research on the problems in legal systems posed by the development of information technology.
Recent publications include Johoho Nyumon (Dai-5-ban) Digital Network no Horitsu (Introduction to Information Law (5th Edition) Laws of Digital Networks) (NTT Publishing, 2020), Gaisetsu GDPR - Sekai wo Yurugasu Kojin Joho Hogo Seido (Outline of the GDPR: The Personal Information Protection System that Will Change the World) (co-authored, NTT Publishing, 2019), Kiso kara Manabu Digital Forensics (Learning Digital Forensics from the Basics) (co-authored, Union of Japanese Scientists and Engineers, 2019), among others.