Note: This website was automatically translated, so some terms or nuances may not be completely accurate.
The DX Engine Driven by Treasure Data and Dentsu Inc. [6]Challenges and Insights for Companies Facing "Personal Information Handling" in the DX Era (Part 2)
The handling of "personal information" is once again drawing significant attention.
This is because the digitization of customer touchpoints has progressed, enabling the collection of personal information at various contact points.
Globally, the trend toward stricter personal information protection regulations, such as GDPR (※1) and CCPA (※2), is intensifying. In Japan, the revision of the Personal Information Protection Act (※3) has also led to challenges across various corporate departments regarding "how to handle customer personal information."
This article presents a roundtable discussion among three experts who directly address client challenges. They explore the essential handling of personal information for DX advancement, the difficulties in advancing related projects, and potential solutions.
Participants include Hiroyuki Tanaka, an attorney providing legal perspectives; Kohei Yamamori from Treasure Data, which provides customer data platforms; and Shiori Imai from Dentsu Digital Inc., which offers comprehensive digital marketing solutions.
※1 GDPR
General Data Protection Regulation: A unified, stringent regulation on personal information protection implemented in 2018 across the EEA (European Economic Area).
※2 CCPA
California Consumer Privacy Act: Enforced in 2020. Applies to businesses handling the personal information of California residents. The first comprehensive state law on personal information in the United States.
※3 Revised Personal Information Protection Act
In 2020, Japan enacted and promulgated the Revised Personal Information Protection Act, which will come into effect within two years. Regulations have been strengthened and expanded, including restrictions on the use of certain cookies.
<Table of Contents>
▼Challenge 1: Decision-making slows due to "differing awareness of personal information" across departments
▼Challenge 2: Shortage of personnel specializing in privacy
▼Challenge 3: Difficulty in achieving transparency in data processing procedures
▼What is required is "explaining things clearly to users"
Issue 3: Difficulty in achieving transparency in data processing procedures
Yamamori: In the digital marketing industry, clients are urgently focusing on the question: "What data can replace third-party cookies?" While the keyword "1ID" exists, we receive many inquiries about how to find such data while complying with the revised Personal Information Protection Law.
Tanaka: In the EU, under GDPR, "cookies and other device identifiers" themselves are considered personal information. Additionally, there are cookie regulations based on national laws under the ePrivacy Directive. Therefore, for cookies other than "strictly necessary cookies" (※4), it is generally necessary to explain to users "how cookies might be used" and obtain opt-in consent. These strict EU regulations became the starting point for third-party cookie responses not only in the EU but globally.
※4 Strictly Necessary Cookies
Cookies strictly necessary for the operation of the website. Typical examples include cookies used to record the contents of a shopping cart on an e-commerce site.
Companies, spurred by GDPR, increasingly implemented transparent explanations through cookie policies and introduced cookie consent tools, creating mechanisms allowing users to make choices.
Meanwhile, Japan's 2020 revision of its Personal Information Protection Act did not classify "cookies and other device identifiers" themselves as personal information. However, certain cookie uses are now regulated under the "personal-related information" provisions.
Imai: The distinction between "personal information" and "personal-related information" can be a bit tricky to grasp, right? From your perspective, Professor Tanaka, could you explain the key points of the amendments concerning personal-related information?
Tanaka: Legally speaking, "personal-related information" isn't regulated solely for cases involving cookies. However, user data linked to cookies that isn't personal information (such as attribute information like preferences and interests) typically falls under personal-related information.
When a company provides this "personal-related information" to a third party, if it is anticipated that "the recipient will acquire that data as 'personal data' (*5)," the provider bears a duty to confirm with the recipient. The content of this confirmation duty is: "Has the recipient obtained consent from the user themselves regarding acquiring that data as 'personal data'?"
※5 Personal Data
Individual pieces of personal information that constitute a "personal information database, etc." are called personal data. Scattered information not contained in a database is personal information but does not qualify as personal data.
The outline of the system revision cited the case of public DMP operators, stating the view that "cases utilizing data through public DMPs raise privacy concerns."
Public DMP operators hold user attribute information linked to cookies, but typically do not manage this as personal data themselves. However, companies receiving data from public DMP operators can link this cookie data with their own separately acquired member registration data, etc., to learn attributes (such as interests and preferences) about those members.
In most cases, the public DMP provider likely transfers data assuming the receiving company will treat it as personal data. Therefore, as mentioned earlier, the public DMP provider incurs an obligation to verify whether the receiving company has obtained consent from the user.
This is a typical application case where regulations are imposed to prevent "data being exchanged using cookies without the user's knowledge." The introduction of personal information regulations does not necessarily mean that the use of cookies in general is restricted.
Imai: I see, that makes sense. Are there any other key points to understand from this amendment besides personal information?
Tanaka: This amendment includes a new provision on the obligations businesses must uphold: "Prohibition of Improper Use." While the prohibition against improper "acquisition" was explicitly stated before the amendment, there was no explicit regulation regarding improper "use."
In other words, while "deceptively obtaining data" was prohibited, there was no explicit regulation against "using data already in possession." This amendment now provides clear grounds to shut down ethically problematic services, such as the "Bankrupt Individuals Map (※6)" that became controversial in 2019.
※6 Bankruptcy Map
A website that collected information on bankrupt individuals and displayed it on an internet map. Closed in 2019 following a request from the government's Personal Information Protection Commission. In this case, consent for third-party provision of personal data was absent, and no notification of third-party provision via opt-out had been filed with the Personal Information Protection Commission, making it easy to determine illegality. However, if a notification for third-party provision via opt-out had been filed, there was concern that the site could have continued operating without individual consent. For details on opt-out notifications, refer to the Personal Information Protection Commission's explanation.
Another point to note is the requirement to enhance the "explanation of data processing methods" when informing users about the purposes of using their personal information. While this is not reflected in the revised statutes themselves, it is expected to be stipulated in guidelines issued around the time of the revision.
When explaining data processing methods, it does not mean detailing algorithms. Rather, it requires clarifying the processing steps to the extent that the purpose for using the collected data is understandable.
For example, instead of a simple explanation like "We use it for advertising purposes," a more transparent and specific explanation is required, such as "We analyze your activity and browsing history to display advertisements tailored to your preferences."
Imai: However, speaking from my practical experience involved in digital marketing strategy development and execution, I find this "transparency of data processing" extremely challenging. Merely knowing the system isn't enough. Unless you understand exactly what data is stored in which databases and how it's processed, explaining the process becomes very difficult.
Tanaka: Many companies don't even fully grasp their current processes to begin with. For such companies, achieving process transparency takes considerable time. Even if they decide to implement a cookie consent tool, they first need to understand how cookies have been utilized up to now.
Imai: Indeed, I believe many companies lack visibility into how they've used cookies themselves. Even when running marketing or sales initiatives on dashboards, they often don't see where cookies were acquired within the process, what data they were linked to, or how they were reflected in specific campaigns.
What I find advantageous about Treasure Data CDP is that it handles raw data, or what's called "full-volume data." If you make decisions based solely on the visualized data on the dashboard, you risk overlooking potentially critical data behind the scenes. In fact, the existence of other underlying data can sometimes mean that user data linked to cookies (such as attribute information like interests and preferences) is considered personal information.
Tanaka: That's the issue of "easily verifiable." Legally, the definition of personal information (※7) includes the phrase "information that can be easily cross-referenced with other information, thereby enabling the identification of a specific individual." If user data linked to cookies can be easily cross-referenced with other information held by a company, and this enables the identification of a specific individual, then it qualifies as personal information.
※7 Definition of Personal Information
Personal information refers to information about a living individual that falls under either of the following: ① Information that can identify a specific individual through the name, date of birth, or other descriptions contained therein (including information that can be easily cross-referenced with other information, thereby enabling the identification of a specific individual). ② Information containing a personal identification code.
Imai: So even with the same cookie, the underlying assumptions can be completely different depending on "how the data is held," right?
Yamamori: That's why, in my case, I start client CDP implementation projects with a comprehensive data mapping exercise. By conducting an "inventory" of what data the client holds from marketing (business), privacy, and legal perspectives, I ensure we align our understanding with the client.
Tanaka: But data mapping is incredibly difficult, isn't it? Even when you distribute sheets to each department to fill out, perceptions vary widely between personnel and departments, making it often quite challenging to get it right.
Imai: It's true that understanding of data ownership varies by department. I also find data mapping difficult.
Tanaka: From a legal perspective, I don't take the data mapping results created by individual staff members at face value. Often, when reviewing the map, I find items that should naturally exist for business operations are missing. Upon confirmation, it frequently turns out, "Actually, it was there." This leads to what you mentioned earlier, Imai-san: "Our assumptions were different."
Imai: Understanding varies by company and individual. Sometimes companies have operational rules stricter than the Personal Information Protection Act. Data mapping can even halt projects. In those cases, we sometimes start by implementing measures using only "data we can understand and judge ourselves," using that as a "breakthrough point."
Yamamori: In our case, we can understand the data stored in Treasure Data CDP, but we obviously don't know about data stored in external databases. Performing data mapping at the start of implementation is also to grasp the full picture of the client's data processes.
In other words, "Data stored in Treasure Data CDP may not be personal information on its own, but when integrated with other internal data, it can become personal information due to easy cross-referencing." As a countermeasure, we ensure the ability to execute the "disclosure," "suspension of use," and "deletion" of held personal data as stipulated by the revised Personal Information Protection Law.
Hearing both of your perspectives, it's fascinating to see how the differences in your approaches highlight the challenge of confirming the "assumptions" about the data clients hold and making that process transparent.
Imai: Treasure Data is helpful because they clearly explain these data-related matters. There are differences in approach even among CDP vendors, so partner selection is crucial.
What's required is "explaining things clearly to users."
Imai: Regarding privacy protection, besides legal risks, the damage to corporate image from "backlash" is also a major concern. Professor Tanaka, what measures do you think are necessary to avoid such backlash?
Tanaka: It may sound cliché, but ultimately, the most effective way to prevent major missteps and backlash is to constantly consider the broader perspective: Are we surprising data subjects? Are we doing anything ethically questionable?
This is because, regarding the Personal Information Protection Act, enforcement cases are rarely made public. There are inherent limitations to reacting piecemeal by chasing after such limited enforcement precedents.
Thinking of it as "measures to prevent backlash" inevitably makes it seem reactive. But if we approach it with the mindset of "thinking about how to provide a service mindful of privacy protection so users can use it with peace of mind," we can tackle it with a proactive stance.
Yamamori: Ultimately, backlashes occur when actions perceived as "odd" or "inappropriate" by the public come to light. Legally, they might not be wrong, but they ignite when ordinary people deem them inappropriate.
Imai: That said, if you become overly defensive, the process of obtaining consent can become strained, which in turn makes users wary. Some companies seem to get too caught up in the mindset of "adhering to the law" or "following our own rules," to the point where that becomes the goal itself.
Tanaka: That's a crucial point. Whether in Europe or Japan, what authorities demand is simply "explain things clearly to users." They absolutely aren't requiring companies to present users with rigid, legalistic language.
If you become overly conservative and include phrases like "Based on Article X, Section Y..." in your explanations, or try to obtain user consent using complex legal jargon, users ultimately won't understand what you're actually doing. If users don't understand, it doesn't count as "explaining," right?
Imai: This might be less about legal documents and more about how to design communication. It connects to how the company conveys its statements and messages.
Yamamori: As Professor Tanaka mentioned, it's crucial to avoid giving users "bad surprises."
Tanaka: From the user's perspective, it's unacceptable for them to think, "This text doesn't clearly explain how my information will be used."
Imai: So the privacy policy is part of the customer experience.
Tanaka: We lawyers tend to write stiffly (laughs), so this is where you guys, always communicating from the client or user's perspective, really shine, right?
It boils down to a simple principle: "Explain how the information will be used and obtain consent when necessary." Providing clear explanations and an intuitive interface for users is crucial. It's not about thinking "Obtaining consent is all you need" or conversely, "You can't do anything without consent."
When consent is required, provide clear, accurate information users can understand. Even when consent isn't needed, strictly comply with legal regulations. We should approach this strategically.
Yamamori: I believe a "good tool" is one that allows even those without legal knowledge to comply with the law. Examples include features like "not automatically importing 16-digit numbers because they could be credit card numbers" or the ability to set granular access permissions.
When companies provide such features, it enables the utilization of data while complying with regulations and privacy in an era where personal data is becoming democratized.
Imai: When companies design superior customer experiences while respecting privacy, it directly translates into value for the users actually utilizing the service. We aim to provide cross-functional support to clients engaged in privacy-related projects, collaborating not only within Dentsu Inc. and Dentsu Digital Inc.'s capabilities but also with technology companies offering tools like Treasure Data and legal experts like Professor Tanaka.
If you are interested in the solutions provided through the collaboration between Treasure Data and Dentsu Inc./Dentsu Digital Inc., please feel free to contact us.
[Download Overview Materials Here]
https://www.treasuredata.co.jp/d-dd-td-download/
[Contact Us Here]
https://www.treasuredata.co.jp/dx-engine-contact-us/
Was this article helpful?
Share this article
Newsletter registration is here
We select and publish important news every day
For inquiries about this article
Back Numbers
Author
Hiroyuki Tanaka
Partner, Mori Hamada & Matsumoto, Attorney at Law, New York State Bar
Graduated from Keio University Faculty of Law, Department of Law in 2004; Graduated from Keio University Graduate School of Law in 2006; Registered as an attorney in 2007; Completed New York University School of Law in 2013 (LL.M. in Competition, Innovation, and Information Law); Practiced at Clayton Utz LLP (until August 2014), admitted to the New York State Bar in 2014, served as a part-time lecturer at Keio University Faculty of Law from April to August 2018. Extensive experience in Japanese Personal Information Protection Law, global data protection laws (including GDPR and CCPA compliance), and privacy protection measures. Also handles numerous cases involving intellectual property and IT.
Kohei Yamamori
Treasure Data Inc.
Director of Business Development
At Dream Incubator Inc., primarily engaged in consulting services for the entertainment industry and private equity funds, as well as hands-on support for the company's portfolio companies. From 2013, seconded to portfolio company iPet Insurance, later transferring permanently to become Head of the President's Office. Listed on Mothers in 2018. At iPet, led initiatives including sales channel shift leveraging digital marketing, RPA implementation projects, development of agency-facing operational systems, liaison with the Financial Services Agency, and investment operations. Joined Treasure Data in 2019.
Imai Shiki
Dentsu Digital Inc.
Business Transformation Division Service Marketing Department
Group Manager
Since joining Dentsu Inc., I have been dedicated to developing and implementing IT systems and overseas applications utilizing marketing technology. I possess extensive experience in formulating data strategies and developing new businesses leveraging cutting-edge technologies. My primary areas of responsibility include government agencies, telecommunications companies, and the automotive sector. After being seconded to Dentsu Digital Inc. in 2016, I directed the entire digital transformation process—from data infrastructure design and DMP construction to establishing operational frameworks. In recent years, I have also been involved in data management with a focus on data privacy.
