The Asia Pacific Institute for the Digital Economy (APIDE) and Keio University welcomed officials and experts on Internet privacy from Japan, Korea and the United States to the Sixth Multi-Stakeholder Forum on Privacy held at Keio University on June 24, 2016. The Forum was also joined by a panel of experts drawn from Japan’s multi-stakeholder community, including academic, business, legal and engineering community representatives.
Kazunori Yamamoto, Personal Information Protection Commission Councilor
The Forum opened with a keynote address by Personal Information Protection Commission (PPC) Councilor Kazunori Yamamoto who outlined the work that the PPC is doing to develop new regulations in addition to an administrative framework for overseeing the recently adopted revisions to Japan’s Personal Information Protection Act (PIPA). Yamamoto reported that the Commission’s work to date has focused on clarifying the definition of personal information, setting out procedures for protecting sensitive information, introducing a framework for de-identified information, providing guidance for record-keeping for third-party data transfers, and steps to address both globalization and cross-border data flows.
With respect to the definition of personal information, Yamamoto said that the Commission was considering including further data types to be covered under the new PIPA. The new categories include: DNA data, finger and palm prints, speech patterns, facial recognition, resident registration numbers, pension identity numbers, as well as drivers’ license and passport numbers. Previously, only names, addresses, dates of birth were covered under the Act. The PPC is also looking to protect additional data, described as “sensitive personal information”, which may not be collected or transferred without individual consent. This includes race, ethnicity, religious beliefs, medical history, and criminal records.
More Data Types Expect to Be Covered Under the New Privacy Law
Yamamoto also commented on a controversial aspect of the new legislation that calls for the government to set standards and procedures for the “de-identification” of data. He indicated that discussions within the PPC have so far focused on setting minimum requirements for de-identification that would apply to all business operators, leaving the setting of detailed procedures and standards to industry groups in each sector. He described this as a “co-regulatory” process and one that the PPC staff is preparing written guidance for.
On the sharing of personal data for commercial purposes, the revised law requires businesses to keep records detailing when and to whom data was transferred. This has resulted in questions on the scope and cost of compliance. In his remarks, Yamamoto stated that the PPC would be providing guidance to deal with uncertainty in this area, but offered assurances that PPC does not intend to create a large compliance burden for business. As a specific example, he offered the case of a family member who has accompanied an elderly member of the family to a financial institution to confirm that individual’s personal financial information. Even though a “third party” is technically involved, there is no legal obligation for the financial institution to keep a record that it has shared this account information with the accompanying family member.
On the transfer of personal data to third parties in a foreign country, Yamamoto prefaced his remarks by saying that it was clear from the Diet record that legislators did not intend to create new obstacles to the ongoing transfer of data between Japan and the world. He noted that Diet discussion acknowledged the need for clear standards in this area, but that businesses would not be required to prove in advance that their internal procedures met these requirements. Yamamoto specified that there currently are three scenarios under which cross-border transfers are allowed under the new law: 1) Transfers to third parties that are contractually based, 2) Transfers among affiliated companies with a common internal data protection policy, and 3) Transfers to firms in countries that adhere to an internationally recognized privacy framework, such as the APEC Cross Border Privacy Rules (CBPR).
Nohyoung Park, Korea University School of Law
Professor Park began his remarks by noting that while the Korean Constitution does not formally mention “right to data protection” as a legal right, the Constitutional Court ruled in 2015 that “right to data protection” is a basic right that is necessary to protect the individual from the “enlargement of state functions and information communications technology”. While the Korean Personal Information Protection Act was not enacted until 2011, a number of sector-specific laws which protected network, locational and e-commerce related personal information preceded it. Park observed that this judicial and legislative background has hampered the greater use of personal data in Korea for commercial purposes as well as the development of cloud computing and data analytics.
Compounding the problem are a number of massive leakages of personal data—the largest being 100 million cases (2 times the population of South Korea) of loss of personal information from three credit card companies that came to public attention in January 2014. This prompted intense demands to tighten the existing privacy framework as well as the introduction of punitive damages (up to three times the amount of the actual loss) in the case of personal information leakages or misuse. Revisions strengthening provisions of the Personal Information Protection Act, the Network Act and the Credit Information Act were implemented in March 2014, July 2015 and March 2016, respectively. With regard to the Personal Information Protection Act, a new mandate was introduced requiring encryption by firms using Resident Registration Numbers to identify customers in addition to making the theft of personal data punishable by fines of up to US$100,000 and imprisonment for up to 10 years.
Tough restrictions on the handling of personal data could slow the growth of Korea’s Digital Economy
Professor Park explained that a key problem for Korea’s system for the protection of personal information has been the institutional weakness of the Personal Information Protection Commission, which shares its powers with a number of government ministries. This is now changing. The Commission is tasked with establishing “basic plans for the protection of personal information” and given the authority to “recommend” changes in data protection policy to other ministries and agencies. A March 2016 amendment also requires data controllers (transferees) to notify the data subjects in the case ofa third party transfer of personal information– previously this had been based on the consent of the data subject given to the transferor.
Professor Park concluded that these reforms and the concomitant strengthening of the role of the Personal Information Protection Commission has been generally positive. However, these changes have also brought into sharp focus a number of issues. First, there is a concern that the tough restrictions on the handling of personal data could restrict the growth of Korea’s Digital Economy, especially the greater use of cloud computing and big data. Second while the centrality of the Commission in managing privacy issues has been affirmed, there is still much work to be done to consolidate the legal and institutional framework of privacy regulation in Korea. Finally, as strict privacy laws in Korea reflect both the national security restraints and public demands for greater protection in the wake of massive data leakages, there is a danger of an overreaction that could disrupt cross-border flows of data in and out of Korea, isolating Korean companies from the region.
Mike Panzera, FTC International Division Counsel
Panzera focused his presentation on a discussion of FTC efforts to expand its mandate to protect consumers throughout the Internet of Things (IoT). He noted that IoT is not just a web of sensory data, but information that, when combined with “big data”, can lead to breakthroughs in healthcare and improve traffic management. The challenge lies in the fact that the technology and processes through which IoT data is generated and transmitted can lead to identity theft, fraud and loss of consumer control. The IoT threat is compounded by the fact that sensors, once deployed, are difficult to update and secure, leaving consumers increasingly vulnerable as technology becomes more sophisticated. Over time, such vulnerabilities greatly risk undermining consumer trust and the acceptance that undergirds innovation and continued reliance on these devices.
The FTC has sought to address these issues by setting out a number of rules and principles to govern the development and deployment of IOT. These include requirements that companies: build in security from the start; train employees in good security practices; ensure downstream security and privacy through vendor contracts and oversight; and provide multiple levels of security and access controls.
Panzera offered the example of a rice cooker with an application that allowed it to be controlled remotely by the consumer. He noted that, from an FTC perspective, the company making the cooker could legitimately collect information on how the cooker was used for the purposes of safety and future product design and marketing. However, it should not share the information with other companies for purposes that would be inconsistent with the usage of the product.
Panzera concluded that there are three main approaches to regulating privacy. The first two are binary; looking only at the “sharing” or “protection” of data. The FTC has taken a third path, which emphasizes “protection” of the consumer, reasoning that such an approach builds “trust”; a core value for the Digital Economy. He argued that “enforcement” is critical to the credibility of this third approach, noting that the FTC has brought over 500 cases against violators of consumer privacy. Panzera concluded that since there is no such thing as “100 percent” security, the government’s role is to ensure that companies’ follow appropriate procedures and that consumers can make informed choices about how they share their data.
APIDE Executive Director Jim Foster served as the moderator for the panel discussion and opened the dialogue by observing that the three governments (Japan, Korea, and the US) seem to be trying to accomplish the same goal but in different ways. Japan has revised its data protection framework to promote the greater use of data for commercial purposes. Korea has made protecting data and enforcement of data security the foundation of its policy. The US has emphasized safeguarding consumers as opposed to data, seeking to regulate the Internet of Things from this perspective.
In response, BizMobile CEO Yoshihiro Obata said that consumers basically want to protect personal data about themselves and their families, noting a recent controversy in Japan over how nursery schools seeking to promote their programs have come under criticism for using photos of children attending the schools and of the schools’ staff. On the other hand, there are also many other situations where they are happy to share their preferences, ex. restaurant recommendations or product reviews.
Privacy regulation involves both “soft” and “hard” power
Facebook Japan’s Head of Public Policy Takuya Yamaguchi took the opportunity to ask two questions. He asked the FTC’s Mike Panzera how “trust” with respect to privacy issues between consumers and service providers has developed in the US. Panzera responded that “enforcement” of privacy regulations is key. Consumers in the US know that if there is a violation, companies or others will be punished by the government. He emphasized that the government’s job is to protect “people” not “data” – and that this helps to build trust.
Yamaguchi raised the issue of how the PPC will safeguard innovation even as it develops new regulations. As an example, he pointed out the situation where research on facial recognition needs to be conducted outside Japan since under the current interpretation of the law storage for even a brief period of facial recognition data needs to be treated as “personal information” requiring “opt-in” consent. PPC Councilor Yamamoto responded that people are uneasy with surveillance cameras recording their movements — preferring to know how that information was being used. Thus, while the government wants to promote research on the greater utilization of such information, it also has to have measures in place that can reassure people that such the data is appropriately collected and used.
APIDE’s Foster pursued the issue of enforcement by noting that panel member and Chuo University Professor Hiroshi Miyashita had previously argued in a published article that strict enforcement of privacy is less necessary in Japan because of companies’ concerns with reputational risk. Foster noted that Korea is enforcing good behavior through significant fines while the FTC has actively prosecuted companies for misuse of personal data and asked Miyashita if perhaps Japan was an outlier?
Professor Miyashita acknowledged this argument, but stated that effective privacy regulation involves both “soft” and “hard” power. PPC Councilor Yamamoto agreed with this thinking, saying that overly restrictive and compliance heavy policies are not the direction that the PPC wants to take. He observed that, in general, companies want to do the right thing in order to avoid betraying their customers’ expectations. The problem remains that companies need to better understand the rules and what is required to safeguard personal data. Additionally, when there is a breach or leakage of data, the PPC’s view is that it is the “hackers” rather than the company that should be punished.
There is strong interest in Japan in finding ways to use data to promote economic growth
The FTC’s Panzera affirmed this line of argument, noting that a data breach in itself is not a “violation.” He noted that “soft” power is a big part of the FTC’s enforcement strategy: typically a company is not fined but instead becomes the subject of a “settlement” or “consent order” under which it undertakes certain actions to avoid future penalties. This in turn sends a strong message to other companies in the sector about the measures they need to take to avoid future FTC enforcement actions.
Professor Park noted that privacy violations in Korea inevitably lead to strong enforcement actions, if only because of the extensive media attention given to these events. He asked Councilor Yamamoto about the situation in Japan and suggested that PM Shinzo Abe’s efforts to boost Japan’s economy have likely encouraged a more flexible approach to commercial data usage and privacy. Councilor Yamamoto replied that there is strong interest in Japan in finding ways to use data to promote economic growth. On the other hand, there is great sensitivity among the public regarding the use of personal information as evidenced by the strong public reaction to the sale of personal data collected by the Japan East Railway to a private company several years ago. For this reason, the revised legislation has directed the PPC to set standards for de-identifying data so it can be used extensively for commercial purpose without raising privacy concerns.
APIDE’s Foster raised a question regarding how revisions to Japan’s privacy framework might impact the cross-border data flows which are key to realizing the full benefits of increased data usage in commercial operations. Japan-US Internet Economy Working Group chair Toshinori Kajiura said that while the outline found in the new legislation appears generally acceptable, the business community looks forward to working with the PPC on specific implementation issues, revolving around certification and reporting requirements.
ACCJ Internet Economy Task Force Chair Yoshitaka Sugihara observed that with the advance of cloud computing compliance with differing government requirements is is difficult as it is increasingly difficult from a technical standpoint to determine where data is being stored and used. He stressed his expectation that the Japanese government would take steps to promote cross-border data flows as an important pre-condition for a more integrated Asian economy. Professor Park added that, in the Korean context, there are no restrictions on the storage and processing of financial data outside Korea, but localization limitations are still in place for government-related data.
Meiji University Professor Andrew Adams ended the program by making a strong statement about the need in Japan to more strictly regulate the activities of “data brokers.” He asserted that data brokers weaken the trust of citizens in the Internet and the Digital Economy. PPC Councilor Yamamoto agreed that this is a key issue and noted that the new legislation contains provisions to address this problem through enforcement actions. FTC Mike Panzera added that this is a growing and difficult challenge in the US as well, particularly because the brokers operate in the shadows such that consumers are often unaware as to how their data is sold and used. He concluded that government will need additional tools to deal with this problem.
Japan’s PPC appears to be making steady progress since its inception in January 2016 to develop rules and guidelines for privacy that allow scope for greater utilization of personal data for commercial purposes. This is seen especially in the approach taken in setting standards for de-identified data, where the Commission is open to industry involvement in setting voluntary sectorial standards. There remains, however, the need for more clarity with regard to how cross-border data transfers will be handled. This is particularly sensitive in light of discussions with the EU regarding Japanese industry’s interest in securing an “adequacy” finding from the Article 29 Data Protection Working Party.
Japan’s PPC appears to be making steady progress
Korea is facing challenges in the data protection sphere due to recent massive leakages of public and commercial databases. Understandably, this has resulted in new restrictions and penalties associated with the handling of personal data including the mandating of encryption for the retention of Residential Registration Numbers. While steps to strengthen the purview of the Personal Information Protection Commission are welcome, there are worries that these many new measures may pose obstacles to greater utilization of cloud computing, big data and the Internet of Things by both the public and private sectors in Korea.
The US FTC’s emphasis on consumer protection provides a useful and different perspective on safeguarding privacy. This multi-level, decentralized, market-oriented approach has attractive features, allowing the US to flexibly respond to new challenges to privacy associated with the advance of Big Data and the Internet of Things. However, many elements of privacy rule-making found in the US are unlikely to translate well to Asia for a variety of political, economic and cultural reasons as highlighted by the discussion of the role that “reputational risk” plays as a deterrent to privacy abuses in Japan and the serious concerns in Korea about national security and the cyber threat from the North.
Director of the Secretariat for Japan’s Personal Information Protection Commission (PPC)
Kazunori Yamamoto is Counselor of the Secretariat of the Personal Information Protection Commission (PPC). He has worked on industrial, trade and energy issues within the Ministry of Economic, Trade and Industry (METI). Prior to joining the PPC, Counselor Yamamoto has served as Counselor to the National Strategy Office of Information and Communications Technology within the Cabinet Secretariat. His work has led to the establishment of the new framework of personal information protection within Japan as part of its efforts to facilitate the expansion of the Digital Economy within Japan.
Korea University School of Law
Nohyoung Park is the former Dean of Korea University’s School of Law, and the Director of its Cyber Law Centre. He graduated from the College of Law, Korea University (LL.B., 1981), Korea University Graduate School (LL.M., 1983), Harvard Law School (LL.M., 1985), and the University of Cambridge (Ph.D. in International Law, 1990). His main research interests cover international economic law, negotiation and mediation, and cyber security and privacy.
Counsel for International Affairs at the US Federal Trade Commission (FTC)
Michael Panzera is counsel for international consumer protection at the United States Federal Trade Commission, Office of International Affairs, primarily covering matters relating to Asia and Latin America. Prior to joining the Federal Trade Commission, he served as senior trial counsel at the Department of Justice, Civil Division, representing the United States in international trade litigation in the Court of International Trade and the Court of Appeals for the Federal Circuit, as well as contract disputes involving Federal agencies before the Court of Federal Claims. Previously, he completed a two-year detail as a Mansfield Fellow in Tokyo, working at the Ministry of Foreign Affairs, the Ministry of Economy Trade and Industry, and the Tokyo High Court.
Co-Chair, Japan-US Internet Economy Private Sector Working Group, Keidanren
Toshinori Kajiura is Senior Researcher at Hitachi – Information & Communications Systems. He is also Chair of the Japan Committee on the Internet Economy Industry Forum at the Japanese Business Federation (Keidanren). Mr. Kajiura is a visiting professor at Tsukuba University and serves as an expert on various working groups within METI, MIC, and Ministry of Land, Infrastructure, & Transportation.
Yoshiro Obata began his career with KDD (former KDDI) in ’86, and later as an acceptance testing and global interconnection engineer, subsequently working for their R&D teams, where he designed and developed a second-generation global fax mail system. In 1994, he was assigned as the project manager to start global Internet transit business between the United States and Japan. In 2013, after the acquisition of eAccess by Softbank, he moved to Equinix Japan where he works as a solutions architect. He now serves as the CEO of BizMobile, Inc.
Vice President for International Collaboration, Keio University
Dr. Kokuryo holds an MBA and Ph.D. from Harvard University. As a member of Japan’s IT Strategy Headquarters, Dr. Kokuryo played a key role in Japan’s rapid and highly successful deployment of Internet infrastructure and has been a strong advocate of greater utilization of Internet technologies in areas such as healthcare and disaster preparedness.
He heads the Design Platform Laboratory within the Keio Research Institute.
Founder and President of Lepedium Co. Ltd.
Tatsuya Hayashi is Founder and President of Lepedium K.K, established in 2004 to advance the support of applied research technique methods and prototyping services for software development. From 2009 onwards, he has worked on standardization issues within the W3C and IETF (Internet Engineering Task Force). He has been a leader within the private sector on identity and personal data issues since 2013, working on the advancement of identification technologies as secretariat, and board member at the OpenID Foundation Japan. He is active within the Internet Society (ISOC), ISOC-Japan. Hayashi is currently working on protocols, certification authentication, and other security concepts as related to privacy and personal data.
Professor, Chuo University
Dr. Miyashita is associate professor of law at Chuo University. He was appointed as the first privacy officer for international relations in the Cabinet Office of Japan in 2007, attending the OECD, APEC, APPA and Privacy Commissioner’s meetings as the Japanese delegation. He received a Doctor in Law from Hitotsubashi University and was a visiting scholar at Harvard Law School and CRIDS (Centre de Recherche Information, Droit et Société), University of Namur.
Policy Director, Government Affairs, CISCO Japan
Shuichi Izumo is a public affairs expert specializing in the areas of ICT policy and security issues, currently working as the policy director based in Tokyo, representing Cisco Systems on its public policy discussions in Japan. Before joining Cisco Systems, he worked for Twitter, as partnership team manger working on projects with government and news organizations in use of real-time analyses on Tweet data. He also worked for NHK for more than twenty years from 1989 to 2011, having started his major career as its political affairs correspondent covering security affairs.
Chair, Internet Economy Task Force, American Chamber of Commerce Japan
Yoshitaka Sugihara serves as a Governor of the American Chamber of Commerce in Japan, and Chair of the Internet Economy Task Force. He studied Political Science at Doshisha University before attending the University of Pennsylvania. In 1994 he served as a researcher at the London School of Economics. He specializes in Information Communications, International Relations, and International Economics, and is a Policy Manager at Google Japan.
Legal and Corporate Affairs, Microsoft Japan
Mari Nakajima joined Microsoft Japan in 2007 and has handled various commercial deals including cloud services, licensing, marketing.
She currently focuses on privacy and security on the cloud services.
Deputy General Counsel, Corporate Legal Affairs & Public Policy
Mana Ishijima studied law at Keio University and started her career at Toyota Tsusyo Corporation (former Tomen Corporation). Her interest in the unlimited possibilities of the Internet finally led her to join Yahoo! JAPAN in 2002. She has been engaged in various unique services of Yahoo! JAPAN and many of its significant commercial deals. After serving as a senior manager of the M&A team in the legal department, she was assigned as the Deputy General Counsel in 2015, responsible for corporate legal affairs & public policy.
Head of Public Policy Japan, Facebook
Takuya Yamaguchi is the first officially appointed Head of Public Policy in Facebook Japan since March 2015. Before joining Facebook, he has worked for Google Japan, Cisco Systems Japan, and Microsoft Japan as public policy and Government outreach expert and dealt with broad range of policy issues related to ICT. He also worked as Deputy Director, IT Policy Office, Government of Japan.
Former Asia Region Privacy Officer, HP Inc
Yoshihiro Satoh has mainly focused on information security, not only from the viewpoint of technology, but also from the perspective of IT strategy, especially in enterprise architecture over the past 20 years. Through his consulting for Japanese manufacturing, financial, telecommunications, media and other sectors, as well as for government, he has worked to establish a culture wherein organizations appreciate the critical need for an overall security policy. For the past decade he has also been involved in HP’s own privacy protection measures. In addition, he developed METI’s safeguard guidelines for Japan’s personal information protection law and joined the Cabinet Secretariat orking group tasked with the revisions to Japan’s privacy law.
Executive Director, The Asia Pacific Institute for the Digital Economy (APIDE)
Jim Foster is Executive Director of APIDE, and Professor at Keio University. He is interested in the intersection of technology and policy with a particular focus on how regulatory frameworks impact on innovation and growth. He is also active on global Internet governance issues, especially as they related to privacy, security and competition policy concerns. He is a former Vice President of the American Chamber of Commerce in Japan (ACCJ) and a founder of the ACCJ Internet Economy Task Force, which supports the US-Japan Internet Economy Dialogue.
He graduated from the University of Notre Dame in 1971 and received his Ph.D. in Government from the University of Washington in Seattle in 1980. He is a former US diplomat and worked as Director of Corporate Affairs for Microsoft Corporation in Tokyo.