学術論文誌 Journal of Information Processing に当研究所研究員の論文が採択されました

採択された論文

2023年12月

Analysis of Privacy Compliance by Classifying Policies Before and After the Japanese Law Revision

学術誌：Journal of Information Processing 2023 Volume 31
著者：Keika Mori (DTCY/Waseda University), Tatsuya Nagai, Yuta Takata, Masaki Kamizono (DTCY), and Tatsuya Mori (Waseda University/NICT/RIKEN AIP)
https://www.jstage.jst.go.jp/article/ipsjjip/31/0/31_829/_article/-char/en（外部サイト）

論文概要

Companies and organizations inform users of how they handle personal data through privacy policies on their websites. Particular information, such as the purposes of collecting personal data and what data are provided to third parties is required to be disclosed by laws and regulations. An example of such a law is the Act on the Protection of Personal Information in Japan. In addition to privacy policies, an increasing number of companies are publishing security policies to express compliance and transparency of corporate behavior. However, it is challenging to update these policies against legal requirements due to the periodic law revisions and rapid business changes. In this study, we developed a method for analyzing privacy policies to check whether companies comply with legal requirements. In particular, the proposed method classifies policy contents using bidirectional encoder representations from transformers and evaluates privacy compliance by comparing the classification results with legal requirements. In addition, we analyzed security policies using the proposed method, to confirm whether the combination of privacy and security policies contributes to privacy compliance. In this study, we collected and evaluated 1,298 privacy policies and 139 security policies for Japanese companies. The results revealed that over 90% privacy policies adequately describe the handling of personal information by first parties, user rights, and security measures, and over 90% insufficiently describe the data retention and specific audience. These differences in the number of descriptions depend on industry guidelines and business characteristics. Additionally, security policies were found to improve the compliance rates of 48 out of 139 companies by describing security practices not included in privacy policies. Finally, we conducted a comparative analysis of policies before and after the Japanese law revision. We identified that although companies updated their policies, these updates were insufficient to meet the new law requirements.