Summary of the Guideline on Personal Information Protection in EC

Summary of "the Guideline on Personal Information Protection in EC in the Private Sector (V1.0)" Privacy Issues WG 1. Preparation of the Guidelines The protection of personal information in EC transactions is a critical theme around the world, as is evident in the “self-regulations” of the US and the “legal approach” in the EU. In Japan, the protection of personal information in the private sector fields that fall under the jurisdiction of MITI is regulated by the Guidelines Regarding the Protection of Personal Information Associated with Electronic Computer Data Processing in the Private Sector (MITI Notice #98 of March 4, 1997). Trade organizations are adopting their own industrial guidelines in response to the particular needs of their fields, and, based on those trade organization guidelines, individual companies are adopting compliance programs for strict adherence to the recommendations made for the protection of personal information. These activities are all efforts to raise the standards of protection. The Privacy Issues WG is taking the initiative in the field of EC by adopting the Guideline on Personal Information Protection in EC in the Private Sector, guidelines that clearly spell out the proper handling and protection of personal information. 2. Summary of Results 1) Summary of the Guideline on Personal Information Protection in EC in the Private Sector (V1.0) The present guidelines are a revision of the “alpha version” adopted in May 1997. The features of these guidelines are: (1) They stipulate that personal information must be handled in an integrated manner focusing not only on “transactions” but on all advertising and promotional activities as well. In EC transactions, personal information can be divulged merely by accessing an electronic site. Thus, focusing on transactions alone would be insufficient to adequately protect all the personal information acquired through EC. For example, personal information divulged in response to questionnaires, lotteries, and premium offers but not accompanied by marketing or sales of a particular product or event must still be understood as personal information subject to full protection. Thus, these protections must not be limited to commercial transactions involving contracts or the like. Any act involving an electronic network that might be construed as an inducement to a contract, such as “advertising and promotion” must be regarded an EC transaction subject to the provisions of these guidelines. (2) They clarify the purposes, terms, and conditions of collection, use and provision of personal information. In electronic commerce, information is traded on an electronic network, and EC notices to the data subject (consumer) must be conveyed not on paper but via the network. Thus, these guidelines clearly establish as a fundamental principle the requirement that the purposes of the collection, use, and distribution of personal information be displayed on the screen to the data subject, and the items that must be displayed are enumerated. Further, they stipulate in concrete detail the situations in which it is acceptable to collect information indirectly from a source other than the data subject, and use or provide that information within or beyond the collection purposes stated. (3) They clarify and establish the data subject’s right to have personal information disclosed, corrected, or deleted, and prescribe methods for doing so, as well as other methods for protecting sensitive information. To emphasize the data subject’s right to protection in EC transactions, and to clearly identify sensitive types of information, the guidelines provide necessary obstacles to the collection of certain kinds of information. In addition, they both stipulate the data subject’s right to have personal information disclosed, corrected, or deleted and prescribe specific methods to assist data subjects in exercising that right. Further, they stipulate that the data subject must be informed of the right to this information and the methods for exercising that right. In some cases, for example, a customer may have paid the full price for a product, but the merchant’s records erroneously state that the bill is unpaid. Such errors could seriously harm the interest of the consumer. Therefore, the consumer must have the right to have such information disclosed and be fully aware of the process by which such errors can be corrected. Such processes are critical to protecting the interest of the data subject. (4) They clarify roles and responsibilities, and stipulate appropriate management of personal information. The first requirement is the technological ability to guarantee the safe trading of information. The guidelines further stipulate the obligations of the merchant directly involved in handling personal information, and outlines in concrete detail the responsibilities of those who manage personal information. The increasing computerization in recent years has made the information processing tasks of merchants ever more diverse and complex. Under these circumstances, to make their systems more efficient or improve customer service, more merchants are subcontracting their information processing tasks. This increase in subcontracting raises the need for measures to prevent problems related to the processing of personal information that originate with the contracted information processor. These guidelines provide standards for selecting information processors willing and able to abide strictly by the safety standards stipulated by governmental agencies. They also cover the process of contracting an information processor, stipulating that the allocation of responsibility, confidentiality requirements, a prohibition against providing the information externally, and commissioned processing period should be stated in writing. Further, when the contract term is over, the subcontractor must agree to return or delete all personal information obtained from the merchant. (5) They address the needs of new merchants unused to handling personal information. Given the fact that electronic commerce will spawn many new merchants who will be handling personal information for the first time, the guidelines address these beginners and the fact that many sellers will be individuals rather than companies. (6) They seek to protect personal information obtained from children. With personal computers now so easy to operate and the use of computers incorporated into school curricula, it has become easy for children to respond to questionnaires and even order goods and services via electronic networks. Thus, personal information regarding the children themselves and their parents can be obtained from children. Children, however, may not be aware of the significance of the personal information they are divulging or understand the objectives of those collecting it. Thus, children on line must be handled with great care, with explanations regarding the information presented extremely clearly, leaving no room for misunderstanding. Furthermore, because parents may worry that the information their children divulge may work somehow to their detriment, merchants that ask children to input personal information must explain the situation in advance to the guardian and obtain their understanding and consent. To ensure that neither the children nor the parents are harmed by the misuse of personal information divulged by children, the guardian must have the same right as the child with respect to the information collected. 2) A concrete demonstration for merchants on the model home page To be effective, these Guidelines must be known and used. Wide-spread EC education is needed, especially for merchants new to the handling of personal information. As one tool for that education, this Working Group has created a model home page that embodies these guidelines and demonstrates their provisions in concrete form. On the model home page, before receiving an order from the consumer, a screen is displayed that explains why the requested personal information is being collected and how it will be used. When part of a company’s service is the provision of information regarding goods or events, that purpose is explained to the consumer, and a clear method is built in that allows the consumer to reject that service. As a general rule, personal information may not be provided to others. However, a screen is provided which specifically asks the consumer about receiving information regarding goods or events. If the consumer agrees, then the consumer’s name, address, and e-mail address may be provided to other shops that protect personal information. The model home page also explains how to display registered personal information and how to correct or delete erroneous information, and clearly states that we are open to consumer inquiries by email, telephone, or fax.