“An attempt at the secure use of GPS information by the PPC, Japan”
Dr. Taro Komukai, Professor at College of Risk Management, Nihon University, Japan.
The amended Act on the Protection of Personal Information (APPI) in Japan is going to introduce a legal scheme of “anonymously processed information” this year in order to facilitate high utilization of individuals’ information, while protecting privacy. This system can be made effective by implementing anonymous processing technology and its methods of operation in accordance with Privacy by Design. Japan’s Personal Information Protection Committee (PPC) issued a staff report showing concrete guidelines concerning anonymously processed information in February 2017, and the “mobile history of cars” is shown as a use case. This article aims to introduce this use case as an effort to realize Global Privacy and Security by Design.
The progress of IoT (the Internet of Things) and M2M (Machine to Machine) results in various data being automatically collected. Such information is integrated and processed by the development of big data processing and AI technology, and new information is generated regularly. However, in such technologies, there are many cases where information is collected without users being aware of it, and there is also a growing concern about privacy and personal information, which we did not have in the past. Although information acquired through Global Positioning System (GPS) is expected to significantly and positively contribute to society and the convenience of users, it could cause serious problems in terms of privacy and personal information protection.
In Japan, a legal scheme for “anonymous processing information” is going to be introduced in May 2017, as a result of the amendment of the APPI in 2015. “Anonymously processed information” is defined as information relating to an individual that can be produced by processing personal information and taking appropriate action so as to neither be able to identify a specific individual nor be able to restore the personal information. Although the APPI prohibits business operators who handle personal information from providing personal data to third parties without obtaining the principal’s consent in advance, anonymously processed information can be provided to a third party without consent.
In order to create a win-win situation for protection and utilization in such a legal scheme, it is required to conduct the process with the appropriate anonymous processing technology and methods of operation. In February 2017, the PPC issued a staff report on anonymously processed information to encourage voluntary efforts among businesses handling personal information, and it showed examples including the “mobile history of cars,” which it used as a case about GPS location information.
This use case assumes that an automobile company provides a retailer with anonymously processed mobile history. The retailer uses the information, including the mobile history of the car and the basic attributes such as age and gender of the owner, for planning product lineups and new store openings.
The data sets used in this case are as follows: (1) Customer attribute data includes the basic attributes of the customer, type of car, and vehicle registration number. (2) Probe data consists of date and time, location information (latitude and longitude), vehicle speed, and ABS (Antilock Brake System) records. (1) and (2) are connected by the user ID. The probe data is regularly transmitted by the communication device on each vehicle to the automobile company’s data center.
Examples of processing methods considered to be appropriate are shown in Table 1.
Table 1. Examples of processing in the use case of the mobile history of cars
| Data |
Possible Risk |
Appropriate Processing |
|
Personal attribute information
|
| ID |
It is used as a code for connecting customer attribute data and probe data. |
Delete all or replace with a temporary ID. |
| Name |
Individuals can be identified by their names. |
Delete all. |
| Gender |
Combination with birth date and address may lead to identification of individuals. |
In this case, we respond by processing birth date and address. |
| Birth date |
Combination with address and gender may lead to the identification of individuals. |
Replace with 6 categories (20s/30s/40s/50s/60s/70s). |
| Address |
Combination with birth date and gender may lead to identification of individuals. Also, there is a risk of personal access. |
Reduce information on address details more specific than city unit. |
| Type of Car |
Combination with address, birth date, etc. may lead to identification of individuals. |
“Luxury car” “Compact car” and other vehicle categories. |
| Vehicle Registration number |
(Assuming unnecessary information for the purpose of this study) |
Delete all. |
|
History-related information
|
| Date and time |
Based on detailed time information and location information, there is a possibility that it will lead to the identification of individuals. |
Delete seconds and replace with minutes. |
| Longitude and latitude |
Based on location information at night or in the daytime, home or workplace may be specified. |
Delete the latitude /longitude in a certain range from the location where the car is present for a certain amount of time. Alternatively, delete the latitude /longitude of several minutes from the start and several minutes before the end of running. |
| Type of Road |
(Assuming unnecessary information for the purpose of this study) |
Delete all. |
| Vehicle speed |
When combined with date and time, there is a possibility that deleted location information can be restored. |
· Delete the vehicle speed in the time zone when deleting the latitude/longitude.
· Replace vehicle speed with 6 categories (~ 10 kmph/10 kmph/20 kmph/30 kmph/40 kmph/over 50 kmph).
|
| ABS record |
(Assuming unnecessary information for the purpose of this study) |
Delete all. |
The PPC Staff Report, “Anonymously Processed Information, Promoting the Utilization of Personal Data and the Confidence of Consumers,” February 2017.
The report points out the following methods of deleting information that can indicate a driver’s home, workplace, school, etc.
- Delete the location information near the home address.
- Delete mobile history generated a certain distance from the start and end points of each item in mobile history
- Delete some percentage of the location information from the start and end points of each item in mobile history.
Basically, it is recommended to delete information that is unnecessary for the purpose of use as much as possible, and the deletion of ID, name, vehicle registration number, type of road, ABS record, etc. is considered preferable. Even if information is necessary for the purpose of use, it is recommended to make a reduction so that it does not lead to the identification of a specific individual. As for birth date, address, type of car, date and time, latitude and longitude, and vehicle speed, data reduction is recommended within ranges that can achieve the purpose of use.
It is generally difficult to state clear requirements for the proper anonymization or de-identification of personal information according to law. Moreover, it must be challenging for regulatory authorities to show use cases in order to facilitate the utilization of anonymously processed information, as this could also make it difficult to enforce the law. Nonetheless, I believe it is valuable to consider the balance between privacy protection and information utilization in an official framework. It is hoped that the methods of anonymously processing information will be further refined through the accumulation of experience.