Following the call for international standards on Artificial Intelligence (AI) at the recent G7 summit, on 2 June 2023, in a rare move, Japan’s Personal Information Protection Commission (PPC) issued two warnings in a publicly released letter (the “Letter”):
- firstly to the three categories of users of generative AI services, i.e.,
- business operators who collect personal information and thus are subject to the Act on the Protection of Personal Information of Japan (APPI);
- government agencies, which may adopt generative AI services into their operations; and
- the general public; and
- secondly to the “ChatGPT” developers/publishers.
More specifically, the PPC’s warnings to the developers/publishers included notably calls to effectively prevent the collection or retention of, as well as to remove, certain sensitive personal information from the data they collect, and to notify purposes of use of personal information in Japanese language to all data subjects whether they are users of its services or not.
In addition, in the Letter, the PPC cautioned business operators subject to APPI to sufficiently ensure that any personal information used in the submission of a prompt to generative AI services was indeed necessary to achieve the originally intended purposes. Potential uses of the personal data for other purposes, notably for the generation of responses to other prompts, may constitute a violation of APPI if it is done without the data subject’s consent. Consequently, the PPC warns that the business should adequately confirm that the relevant generative AI services provider does not use personal data for machine learning purposes in such circumstances. The PPC’s warning clarified that the responsibility for ensuring compliance with APPI lies with the business operators who decide to use and deploy generative AI services, and let the world know that the Japanese privacy regulator has particular interests and concerns with such deployment. Businesses should take this into consideration when adopting generative AI into their operations, and ensure that their operations are set up in a way that is compliant with applicable APPI requirements, which may mean updating their policies and procedures relating to use of personal information.