ECOM Journal 2008
Contents > ECOM Activity Results Report > EC Safety & Security Group > Personal Information Protection WG
Personal Information Protection WG
Overview of Activities
Bearing in mind that this is the third year since the Act on the Protection of Personal Information (hereafter shortened to the "Protection Act") was enacted, our working group discussed the revision of ECOM guidelines, conducted research on trends concerning the protection of personal information in overseas countries, made a visual investigation survey of websites to check what measures are taken to protect personal information (continued from the previous year), and developed a check list to promote encryption of personal information. We will summarize these activities for FY 2007 below. Table 1 provides an outline of the activities of the working group.
Table 1. Activities for the Personal Information Protection WG
Activity Results
1. Revision of ECOM Guidelines
ECOM revised the Guidelines and released them in July 2007. This followed the revision of the Guidelines Targeting the Fields of Economy and Industry Regarding the Act on the Protection of Personal Information of the Ministry of Economy, Trade and Industry in March of the same year. ECOM added to the Guidelines that, if concealment processing such as sophisticated encryption is applied to target personal data, as a measure in cases such as when an accident such as an information leak occurs, the company is exempted from notifying the individuals or making a public announcement to media. ECOM also added to the Guidelines in a section about reporting to supervisory authority that if the company in question is a member of a certified privacy protection group, the company may report to the certified privacy protection group to which the company belongs instead of the supervisory authority.
Moreover the WG is currently reviewing the clause about "overseas transfer of personal information" and preparing for further revision. While referring to the EU Directive on Privacy and Electronic Communications, the privacy framework of Asia-Pacific Economic Cooperation (APEC), etc., the WG aims to sort out the matters which should be conformed to when businesses transfer personal information to overseas and create a guideline for it. Specific items include the enforcement of proper management of personal information at the overseas destination, encryption of data during transfer, restrictions on the receivers of data and the methods of receiving data, measures to prevent the leak of transferred data such as the collection of access logs, and establishment of a global privacy policy.
2. Research on Trends in Overseas Countries
As for the trends in overseas countries, we have studied advanced countries such as Europe and the United States as well as BRICs countries until FY 2006. In FY 2007, we expanded the subject countries to include Pacific nations. We would like to present some of our findings.
(1) New Zealand
New Zealand has established a comprehensive legislation called the Privacy Commissioner system, which targets private sectors. The Office of the Privacy Commissioner handles 1,000 complaints and 6,000 inquiries a year. However, since its regulations against overseas transfer are inadequate, conformity with EU regulations remains to be solved.
(2) Mexico
Although Mexico does not have comprehensive legislation concerning protection of personal information, the handling of personal information in the country requires care because there are laws concerning the protection of personal information in various fields. Its consumer protection law includes regulations such as that consumers can refuse to be a target of direct marketing and companies cannot transmit their customer's personal information to a third party without written permission from the customer.
(3) Republic of China (Taiwan)
Because of the Computer-Processed Data Protection Law, which targets government agencies and eight private sectors (credit records, hospitals, schools, telecommunications, finance, security businesses, insurance and journalism), the subject of the information has right to terminate the use of or delete their own data and prohibit the transfer of this data to a third country where privacy protection laws have not been enacted.
3. Visual Investigation Survey on Websites Concerning Personal Information Protection
ECOM carried out the same visual investigation survey as the previous year on websites to check what measures are implemented to protect personal information (from May 2007 through June 2007). The survey was targeted at 161 ECOM member companies (mostly large companies) and 223 online retailers (mostly small SOHO businesses) that have obtained online trust marks. We will attempt comparisons of some items below.
(1) Companies posting their privacy policies on their websites
The percentage of companies that were posting their privacy policies somewhere on their websites was 96% among ECOM member companies (mostly large companies) and 81% among online retailers (mostly small businesses). The gap between different sized businesses is narrowing.
(2) Companies posting "method of acquisition" and "source of acquisition" of personal information
There are inadequate postings of "method of acquisition" and "source of acquisition" of personal information on the website for both ECOM member companies and online retailers. Although the disclosure of the method of acquisition and the source of acquisition of personal information is not required by law, clearly posting such information is crucially important to earn the trust of consumers. We would like to see them post the information voluntarily.
4. Promotion of Encryption (concealment)
As mentioned in the revision of ECOM Guidelines section, the Ministry of Economy, Trade and Industry released its view of encryption exemption in the event of information leaks in March 2007. This view has subsequently been adopted by the Financial Services Agency, providing a strong impetus to its adoption in all agencies. Moreover in the United States, when information like credit card information, debit card information or medical record is leaked out, in over 30 states state law requires those who leaked the information to notify the individuals immediately. But if the exposed data is encrypted, it will be exempted from these laws, and we evaluate highly the significance of this. ECOM positioned encryption as the "last line of defense" for the protection of personal information, and prepared a check list to promote its dissemination (Table 2).
Table 2. Thorough Check List for the Encryption of Personal Data
Future Plans
We have introduced some of our activities in FY 2007, but since the latest version of ECOM Guidelines and visual investigation survey will be posted on the ECOM homepage as soon as they become available, please refer to the website as well. As for FY 2008, we will continue the activities of FY 2007, while keeping an eye on the discussions regarding revision of the Protection Act.