Full Text

MORE and more businesses are waking up to the importance of big data as a strategic resource. By analyzing the purchase history of its customers, a business can easily identify purchase trends and patterns. The increasing availability of cloud processing, analytics, and storage services has enabled businesses of all sizes across many industries to access big data. However, we must remain concerned both about the collection of personal data and in particular, the promulgation of data privacy laws to both protect personal data and, at the same time, promote the utilization of big data.

In Japan, the Act on the Protection of Personal Information ("PPIA") was recently amended and became effective on May 30, 2017 (the "Amended Act"). The amendments will introduce a number of changes to existing personal data protection system. The term "personal information" as used in the Amended Act, for example, has been clarified to further protect personal data and introduce more necessary regulations. At the same time, the amendments introduce the concept of "Anonymously Processed Information" to promote the use of enormous personal data (i.e., big data) collected through the development of information and communication technology ("ICT"). The Amended Act also introduces new rules in response to the globalization of data flows.

The purpose of this article is to provide practitioners with an understanding of three important changes made by the Amended Act and how these changes are likely to play out in practice. In Part I of this article, we will give a brief explanation on the newly revised definition of personal information under the Amended Act. Part II addresses and clarifies how and when big data should be treated under the new concept of Anonymously Processed Information. Part III discusses the new scheme under the Amended Act on cross-border transfers of personal information.

I. Definition of Personal Information

A.Clarification of definition of personal information

Under PPIA, "personal information" was defined broadly, and the scope of personal information was at times ambiguous. This ambiguity created difficulties among business operators.1 For instance, information like personal identification numbers would not fall under the definition of personal information under PPIA in the absence of other information that could be easily used to identify a specific individual. With the development of ICT, however, there...