Japan recently amended its data privacy law to allow greater access to so-called “big data”. A wide range of industries including retail, technology, communications and consumer goods are increasingly relying on big data to boost their business performance.
As a result of the amendment, both domestic and foreign companies now have more opportunities than ever to tap into the lucrative Japanese economy, the third-largest in the world. With the amendment, Japan also hopes that the EU will formally recognize Japan as providing adequate data protection, thereby allowing significantly freer cross-border data transfers between Japan and EU countries.
Big data refers to large quantities of structured or unstructured information that organizations can analyze for potential gains. Perhaps the most obvious benefit of using big data is greater sales. However, companies also rely on big data to increase customer satisfaction, implement more targeted marketing strategies, come up with new and innovative services, and reduce costs. Before the amendment, it was unclear how extensively Japanese privacy laws allowed the sharing of big data, leading many to err on the side of caution and refuse to disclose any big data to third parties.
In addition, the EU has yet to recognize Japan as providing data protection that is “essentially equivalent” to EU member countries. Gaining a coveted spot on the EU’s “white list” would enable EU countries to share personal data with Japan without the need for any further safeguards, which could in turn produce significant economic and trade-related benefits for both Japan and the EU.
AMENDMENTS BRING CLARITY
Japan amended the Act on the Protection of Personal Information in part to address these issues. The relevant amendments, which took effect on 30 May 2017, make it easier for businesses to sell big data to third parties without having to obtain consent from the individuals whose information make up the big data in question. The amendment also brings Japan’s data privacy laws more in line with the EU’s, which Japan hopes is enough to convince the EU to approve the free flow of data to and from Japan.
The amendment creates a clear distinction between “personal information” and “anonymized information”. Put simply, it is now much easier to obtain and sell big data that is classified as anonymized information without the need to obtain consent.
In order to obtain personal information, businesses must inform the relevant individuals about the purposes of obtaining that information. Personal information consists not only of data such as names, addresses and birthdates, but also includes data that can be cross-referenced to identify specific individuals even though that data would not be sufficient to identify anyone.
By contrast, anonymized information is an individual’s personal information that has been modified so that it can no longer be used to identify that individual. To cite one example, a supermarket chain could analyze the shopping patterns of individuals to determine that customers from a certain region tend to purchase higher-priced organic vegetables. Although the raw data may include names and addresses, the supermarket combines that data to ensure that it is impossible to identify specific customers. Using the information, the supermarket can improve its sales strategy and boost sales. It can also sell that data to help other companies do the same.
SENSITIVE PERSONAL INFORMATION
As part of its move to gain EU approval for its data protection law, the amendment introduces the concept of “sensitive personal information” in an effort to effectively mirror the equivalent EU data privacy scheme. Sensitive personal information covers race, social status, religion, criminal and medical history, and any other information that could result in discrimination or prejudice. Under the amendment, a company is in most cases required to obtain prior consent on an “opt in” basis before obtaining and disclosing sensitive personal information (“opt in” assumes no consent by default, with the individual needing to actively and explicitly consent in advance).
The amendments should go a long way in making big data in Japan much more accessible, helping businesses hone their marketing strategies in one of the largest economies in the world. For its part, the EU earlier this year recognized Japan’s amended data protection law as providing “comprehensive data protection”. Although nothing is official or guaranteed, this recognition nevertheless represents a significant step towards the EU formally recognizing Japan’s data protection measures as robust enough to warrant an “adequacy finding” that would add Japan to the EU’s list of approved countries. Both of these developments would further the cross-border sharing of data in an ever more globalized economy.
DARCY KISHIDA is an attorney at Kojima Law Offices, the Japan member of Meritas Law Firms Worldwide
Kojima Law Offices
Gobancho Kataoka Bldg, 4/F 2-7 Gobancho,
Chiyoda-ku, Tokyo 102-0076, Japan
Tel: +813 3222 1401
Fax: +813 3222 1405