Generative AI and the Protection of Personal Information under the Japanese Law
1. Alert to Business Operators
On June 2nd, an Alert including the following statement was issued to business operators handling personal information (“Business Operator(s)”) by the PPC.
- When a Business Operator enters a prompt containing personal information into a generative AI service, it should be thoroughly confirmed that the prompt is within the scope necessary to achieve the purpose specified for which the personal information is used.
- If a Business Operator inputs a prompt containing personal data into a generative AI service without obtaining the consent of the person in advance, and the personal data is handled for purposes other than outputting the response result to the prompt, the business operator may be in violation of the provisions of the Personal Information Protection Act (“PIPA”). Therefore, when inputting such a prompt, it should be thoroughly confirmed that the provider of the generative AI service does not use the personal data for machine learning.
2. Purpose of Use
Under the PIPA, Business Operators need to specify the purpose of use of the personal information when handling personal information(Article 17.1), and shall publicly announce or promptly notify the individual of such purpose of use, when acquiring personal information (Article 21.1). Business Operators handling personal information shall not handle personal information, without obtaining the prior consent of the person, beyond the scope necessary for the achievement of the purpose of use (Article 18.1)
The PIPA’s above regulation regarding the purposes of use should apply to generative AIs. Since there are a various kind of generative AI at the moment and the mechanism varies depending on the service, it is possible that, when a prompt containing personal information is entered, personal information may be handled beyond the scope of the purpose of use identified above. Therefore, Business Operators should check whether the use of the generative AI service exceeds the necessary scope of the intended use, taking into account the intended use of personal information, as well as the specifics of the generative AI and its terms of service.
3. Provision of Personal Data to Third Parties
Business Operators, in general, will need to obtain the prior consent of the individual, when providing personal data to third parties (Article 27, 28).
The second point of PPC's alert is based on the above regulations, and implies the possibility of it being illegal for personal data to be handled for purposes other than the output of response results to the prompt, when the consent of the individual is not obtained.
The scope of PPC’s statement needs to be considered carefully.
The Q & A on the PPC guidelines (“Q&A”) states that it is not necessary to obtain the consent of the person for cloud services under certain requirements (the “Cloud Exception”. Q&A 7-53, 7-54). Some may argue that this Cloud Exception applies to generative AI services. However, it is uncertain whether services such as ChatGPT as immediately meet the requirements of the Cloud Exception, since it is likely that these generative AI services are to be construed as handling personal data .
It may also be argued that the use of generative AI may be construed as entrusting the handling of personal data, which is an exception under the PIPA of obtaining the consent of the individual (Article 27.5.1). However, the PIPA requires Business Operators to supervise the Trustees in cases of entrusting the handling of personal Date(Article 25), and it is highly unlikely that Business Operators can supervise the services providers of generative AIs such as OpenAI. In addition, it should also be noted that in case of entrustment, the entrusted information must be used separately from (and not mixed with) personal information of other Business Operators (Q&A 7-37).
In conclusion, the usage of generative AI is highly likely to be construed as provision of personal data to third parties which requires the consent of the individual, at least at the moment.
4. Alert to OpenAI
On the same day of issuing the Alert to Business Operators, PPC has issued an Alert to OpenAI, which mainly focuses on sensitive personal information.
(1) The following four points should be implemented regarding collecting information for machine learning.
- To take necessary measures to ensure that the information collected does not include sensitive personal information.
- To take measures as soon as possible after the collection of information to reduce as much as possible the sensitive personal information that may be included in the collected information.
- If it is discovered that the collected information contains sensitive personal information even after taking the measures described in (i) and (ii) above, measures shall be taken to delete the sensitive personal information or to make it impossible to identify a specific individual as soon as possible and before processing it into a data set for learning.
- If the individual or PPC requests or instructs not to collect sensitive personal information from a specific site or a third party, the request or instruction must be complied with unless there is a justifiable reason for refusal.
(2) OpenAI should not handle sensitive personal information entered into the prompt by a user who has chosen not to be used for machine learning, unless there is a justifiable reason for doing so.Under the PIPA, Business Operators can, in general, only acquire sensitive personal information when obtaining the individual’s prior consent (Article 20.2). The alert by PPC, in short, requests not to collect sensitive personal information, to take necessary measures (including technical measures) to remove sensitive personal information immediately after collection, and in the case that sensitive personal information is still included, to remove the information before processing it into a data set for learning.Following this alert, it has been made clear that OpenAI, as well as other generative AI operators, will need to take reasonable steps to ensure that sensitive personal information is not included when creating datasets.
Article provided by INPLP member: Satoshi Shono (MATSUDA & PARTNERS, Japan)
Dr. Tobias Höllwarth (Managing Director INPLP)