The Yomiuri ShimbunAllegations that British data analysis company Cambridge Analytica acquired data from Facebook that was improperly leaked (see below), and revelations that information has been collected through Facebook’s “like” button feature (see below), have come to the fore. At the crux of these issues is Facebook’s approach to data privacy. With the data business snowballing, are the individuals who provide this data being treated fairly? The Yomiuri Shimbun asked Mari Sonoda, secretary general of the Personal Information Protection Commission. The following are excerpts from the interview.
The Yomiuri Shimbun: How will the commission deal with the “like button problem?”
Q: Have you approached Facebook over this matter?
A: We called in relevant officials from the company to hear their explanations. We will ask the company to explain to its users in easily understandable terms what happened, and we’ll consider offering administrative guidance. Facebook is reviewing its data policy, so we are carefully checking the content of that.
Q: Any website can feature the like button, so they appear everywhere from websites offering medical information to pornographic sites. Doesn’t Facebook need to lay out conditions for adding this feature to a website?
A: It is certainly a problem that a user’s secret interests can be inferred depending on the content of the websites they view. There are various approaches to tackling this, but I personally think one idea would be for Facebook to compile standards for installing the feature.
Q: Hasn’t Facebook been violating its obligation to properly acquire information under the Personal Information Protection Law?
A: I will refrain from commenting on individual cases, but I will say that it is important to clearly and simply notify users when their information is being collected, and to create a system in which an individual user can decide.
Q: The criticism of Cambridge Analytica’s collection of Facebook data that has been alleged is also difficult to understand. In this case, the possibility has been raised that personal data was improperly used during an election campaign. But this is not the only problem. Facebook gave an external app creator data about the users and also the users’ Facebook friends. Has this been sufficiently explained?
A: We need to have a system in which users are clearly aware of exactly what range of information is being supplied to a third party, and for what purpose. The system must let users decide what information should be shared. The app in question was also used by 104 people in Japan, so it’s possible up to 100,000 people, including their friends and others, could be affected here. At present, we have requested a report on the situation and we will deal appropriately with this matter based on the law.
Device idetifiers a problem
Q: Huge amounts of user data collected through online services are being exchanged among companies, and not just Facebook. But this is difficult for users to understand. Is the fact that the acquired data is not about individuals, but information that can identify individual computers and other details — and therefore is not subject to the Personal Information Protection Law — a cause of this?
A: That point was discussed during the consideration stage of the revised law that came into force in May 2017. In the end, it was determined that while this data would identify a computer device, it would not lead to an individual’s name and other details, so it was not personal information. The content of the revised law will be reviewed every three years. One point that will be debated in the future is if we decide to separately handle device identifiers as personal information, then services already being widely provided will require an across-the-board review.
We need to think about the balance between the rights and convenience of an individual or service operators.
Q: Some operators collect individuals’ information attached to device identifiers and provide this to companies possessing client information. Even if this information is not personal information at the time it is provided, it becomes personal information when it is combined with the private data possessed by the company receiving it. When personal information is provided to a third party, shouldn’t there be a legal obligation to obtain the consent of the person whose data is being supplied?
A: If the company receiving the information has acquired personal information, I think that company should fulfill its obligations as an operator that handles personal information.
Q: The Personal Information Protection Law’s provisions on acquiring data are extremely weak compared with the provisions covering information provided to a third party. Companies only have to publicly state on their homepage what they intend to use the data for. However, as data on a person has been acquired when they use a service by the company, that person probably won’t notice a policy written on the website of the company receiving this data. From the perspective of affected individuals, even though there is exactly the same effect as their personal information has been supplied, they can’t complain despite the fact it was supplied without their consent. Isn’t that unfair?
A: The breakneck advances in information technology and the diversification of services available have created situations that the Personal Information Protection Law never imagined. It has become difficult to handle these situations just by using this law. Of course, it is important that service operators offer users easily understandable explanations. However, users themselves also need to become more knowledgeable. They need to protect themselves, such as by thinking about what kind of information they provide about themselves by using certain services. Depending on the circumstances, they might need to stop using some services as a means of self-protection.
Saying what must be said
Q: A group of major overseas companies dubbed GAFA — which includes Google and Facebook — are gaining an increasing monopoly on data. Can the commission speak up to these companies?
A: Of course, we will readily say anything that needs to be said to them. Although this wasn’t announced, in November 2017, we gave guidance to Instagram. Last year, in the United States there was a problem when information about celebrities and other people was leaked externally. Instagram issued a statement in English, but nothing was publicly announced in Japanese. Because Instagram handles the data of its users in Japan, we told the company it should also provide an explanation in Japanese. In the end, Instagram issued an explanatory statement in Japanese.
Q: How many overseas operators has the commission acted against?
A: From April to December last year, we mediated 31 cases, collected 533 reports, issued instructions or advice in 335 cases, and conducted 11 on-site inspections. Of these, at least three were measures taken against foreign business operators. From now on, we will continue to actively deal with any violations committed by companies targeting Japanese customers.
— Interview conducted by Yomiuri Shimbun Senior Writer Masako Wakae
■Cambridge Analytica allegations
A former employee of British data analysis company Cambridge Analytica claimed user data the firm acquired from Facebook could possibly have been used in the 2016 U.S. presidential election. Criticism has mounted over revelations that the creator of an app that is logged into through Facebook made it possible to acquire data not only on the app’s user, but also on their Facebook friends. The outcry forced a review of this service.
■The “like” problem
When a user visit a website featuring a “like” button, information about the user’s device and other details are sent to Facebook, even if the button is not clicked. Facebook explains on its own website that it acquires this information, but users do not know which sites have this feature until they visit the sites. When users visit the sites, the information has already been sent, so users cannot refuse to provide the information.
■Mari Sonoda / Secretary General, Personal Information Protection Commission
Sonoda joined the Finance Ministry in 1982. She has worked in the ministry’s international finance bureau, the Research Institute for International Investment and Development at Export-Import Bank of Japan in Washington, and served as director at the National Property Acquisition and Disposition Division of the Financial Bureau. She has also worked in the Specific Personal Information Protection Commission, among others. She took up her current position in 2016.Speech