Survey of the Act on the Protection of Personal Information in Japan and International Standard Framework for De-identification
DOI:
https://doi.org/10.52731/lbds.v004.192Keywords:
Act on the Protection of Personal Information, de-identification, ISO/IEC 20889, ISO/IEC 27559, ITU-TSG17 X.1148Abstract
This paper discusses the law definitions of de-identification, re-identification, anonymization, and pseudonymization based on Japan’s amendment act of the Act on the Protection of Personal Information. It also introduces the current international standardization trends in de-identification, including the standardized framework ISO/IEC 27559 and ITU-TSG17 X.1148, and related international standards, ISO/IEC 20889, etc. Personal data de-identified by anonymization or pseudonymization must be de-identified adequately before being used as part of publicly available big data sets. Dealing with Big Data and sensitive personal data requires knowledge and technical competence to maintain the appropriateness of that data. Many companies are implementing Big Data projects and need a sound legal understanding to develop in line with international standards to remain compliant with the ever-increasing regulatory risk requirements.
References
Cabinet Office Site (Japan), “Society 5.0,” Dec. 2023;
www8.cao.go.jp/cstp/english/society5_0/index.html.
M. Alawida, S. Mejri, A. Mehmood, B. Chikhaoui, and O. I. Abiodun, “A Com-prehensive Study of ChatGPT: Advancements, Limitations, and Ethical Considera-tions in Natural Language Processing and Cybersecurity,” Information 2023, vol. 14, issue. 8 (462); doi:10.3390/info14080462.
A. Khanan, S. Abdullah, A. H. H. M. Mohamed, A. Mehmood, and K. A. Z. Ariffin, “Big Data Security and Privacy Concerns: A Review,” Smart Technologies and In-novation for a Sustainable Future, Springer, 2019 pp. 55–61.
L. Sweeney, “Simple Demographics Often Identify People Uniquely,” Data Privacy Working Paper 3, Carnegie Mellon University, Pittsburgh, Pennsylvania, 2000.
Japanese Law Translation, “Act on the Protection of Personal Information (Act No. 57 of 2003),” Mar. 2023; www.japaneselawtranslation.go.jp/en/laws/view/4241/en.
M. Gupta, C. Akiri, K. Aryal, E. Parker, and L. Praharaj, “From ChatGPT to ThreatGPT: Impact of Generative AI in Cybersecurity and Privacy,” IEEE Access, vol. 11, 2023, pp. 80218-80245; doi:10.1109/ACCESS.2023.3300381.
Financial Services Agency (Japan), “Guidelines for the Act on the Protection of Personal Information,” April 2007; www.fsa.go.jp/frtc/kenkyu/event/20070424_02.pdf.
PPC (Personal Information Protection Commission, Japan), “Laws and Policies,” Dec. 2023; www.ppc.go.jp/en/legal/.
Ministry of Justice (Japan), “The Amendment Act of the Act on the Protection of Personal Information, etc. (Overview),” Sep. 2022; www.moj.go.jp/content/001345599.pdf.
Japanese Law Translation, Outline of the Acton the Arrangement of Related Laws for the Formation of a Digital Society;
www.japaneselawtranslation.go.jp/outline/36/211105155408_905R305.pdf.
PPC (Personal Information Protection Commission, Japan) Site; www.ppc.go.jp/en/.
GDPR (General Data Protection Regulation) Site; https://gdpr-info.eu/.
The Japan Agency for Local Authority Information System, Individual Number Card (My Number Card); www.kojinbango-card.go.jp/en/.
PPC (Personal Information Protection Commission, Japan), “Report by the Per-sonal Information Protection Commission Secretariat: Anonymously Processed In-formation,” Feb. 2017;
www.ppc.go.jp/files/pdf/The_PPC_Secretariat_Report_on_Anonymously_Processed_Information.pdf.
Ministry of Internal Affairs and Communications (Japan), “Guidelines for the Act on the Protection of Personal Information,” PPC (Personal Information Protection Commission, Japan), 2016.
Ministry of Internal Affairs and Communications Ministry of Economy, Trade and Industry (Japan), “The Guidebook for Corporate Privacy Governance in the Digital Transformation (DX) Era,” April 2023;
www.meti.go.jp/policy/it_policy/privacy/guidebook_ver1.3_english.pdf.
EUR-Lex, “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,” May 2018;
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046.
PPC (Personal Information Protection Commission, Japan), GDPR (General Data Protection Regulation); www.ppc.go.jp/enforcement/infoprovision/EU/.
R. Bonta, “State of California Department of Justice, California Consumer Privacy Act (CCPA),” May 2023; https://oag.ca.gov/privacy/ccpa.
California Legislative Information, ‘‘California Consumer Privacy Act of 2018,’’ Dec. 2020;
Korea Legislation Research Institute, “PERSONAL INFORMATION PROTEC-TION ACT,” Oct. 2023; elaw.klri.re.kr/eng_service/lawView.do?hseq=62389&lang=ENG.
A. Seipp, The End of Third-Party Tracking, The Rise of iOS14 ITP;
mcgaw.io/blog/end-of-third-party-cookies-ios14-itp/#gs.0xj024.
Information Commissioner’s Office Site; https://ico.org.uk/.
PPC (Personal Information Protection Commission, Japan), “Guidelines on the Act on the Protection of Personal Information (Pseudonymized and anonymized pro-cessed information version),” Sep. 2022 (Japanese); www.ppc.go.jp/personalinfo/legal/guidelines_anonymous/.
ISO/IEC 29100:2011 Information technology - Security techniques - Privacy framework, Dec. 2011; www.iso.org/standard/45123.html.
ISO/IEC 29100:2011/Amd.1:2018 Information technology - Security techniques - Privacy framework, June 2018; www.iso.org/standard/73722.html.
ISO/IEC 29134:2023 Information technology - Security techniques - Guidelines for privacy impact assessment, May 2023; www.iso.org/standard/86012.html.
ISO/IEC 29151:2017 Information technology - Security techniques - Code of practice for personally identifiable information protection, Aug. 2017; www.iso.org/standard/62726.html.
ISO/IEC 20889:2018 Privacy enhancing data de-identification terminology and classification of techniques, Nov. 2018; www.iso.org/standard/69373.html.
ISO/IEC 27559:2022 Information security, cybersecurity and privacy protection - Privacy enhancing data de-identification framework, Nov. 2022; www.iso.org/standard/71677.html.
ISO/IEC 27551:2021, Information security, cybersecurity and privacy protection Requirements for attribute-based unlinkable entity authentication, 2021;
www.iso.org/standard/72018.html.
International Telecommunication Union, X.1148: Framework of de-identification process for telecommunication service providers, 2020;
