課題Ⅰ 第４編② 第三者提供の制限 ― 同意・オプトアウト・非該当類型

When providing personal data to a third party, prior consent of the individual must be obtained as a general rule (Article 27, Paragraph 1). This is one of the most fundamental rules under the Act on the Protection of Personal Information. For a personal information handling business operator to pass personal data it holds to an external third party, the premise is that the individual recognizes and approves of that provision. This consent is a core mechanism for protecting the rights and interests of the individual, and violations may result in recommendations or orders from the Personal Information Protection Commission.

There are no particular restrictions on how consent may be obtained. Written documents (signing and sealing a consent form), verbal consent, email, web form submission, and checkbox input are all valid. Furthermore, implied (tacit) consent is also recognized within a reasonable scope. For example, if the terms of service clearly state that data will be provided to third parties and the user begins using the service, this can be interpreted as implied consent. However, it is desirable to keep records in order to avoid disputes at a later date.

However, when the exception grounds stipulated in each item of Article 27, Paragraph 1 apply, third-party provision is possible without the individual's consent. Item 1 covers cases based on laws and regulations. Specifically, this includes submission of payment records under the Income Tax Act, inquiries from bar associations (Article 23-2 of the Attorneys Act), and responses to court-commissioned investigations.

Item 2 covers cases where it is necessary for the protection of a person's life, body, or property, and obtaining the individual's consent is difficult. For example, providing safety and well-being information about disaster victims to local governments or medical institutions during a large-scale disaster falls under this category. This also includes cases where the individual is unconscious and consent cannot be obtained.

Item 3 covers cases where it is especially necessary for the improvement of public health or the promotion of the sound upbringing of children, and obtaining the individual's consent is difficult. Typical examples include reporting the occurrence of an infectious disease to a public health center, or notifying a child consultation center when there is suspicion of child abuse.

Item 4 covers cases where cooperation is necessary for a national agency, local government, or a party entrusted by them to carry out duties prescribed by law, and obtaining the individual's consent would impede the performance of those duties. For example, this includes responding to tax investigations and cooperating with police inquiry requests (Article 197, Paragraph 2 of the Code of Criminal Procedure). This is because requesting consent from the individual might cause the investigation target to destroy evidence.

Furthermore, through the 2020 (Reiwa 2) amendment, cases for academic research purposes were also organized as exception grounds. This applies when universities or other institutions whose purpose is academic research, or individuals belonging to them, need to handle personal data for the purpose of serving academic research.

Article 27, Paragraphs 2 through 4 establish third-party provision through the opt-out mechanism. Opt-out is a mechanism that allows personal data to be provided to third parties without the individual's prior consent, but with the condition that provision must be stopped if the individual requests it. In other words, it guarantees the individual's right of self-determination in the form of "you can refuse if you don't want it."

To use the opt-out mechanism, two procedures are required. First, a notification must be filed with the Personal Information Protection Commission in advance. Second, prescribed matters must be publicly announced, or the individual must be notified, or the information must be placed in a state where the individual can easily learn of it. If these two requirements are not met, provision through opt-out is not permitted.

The matters that must be publicly announced are as follows: (1) the name and address of the personal information handling business operator, and in the case of a corporation, the name of its representative; (2) that the purpose of use includes third-party provision; (3) the categories of personal data to be provided; (4) the method of provision; (5) that provision will be stopped at the individual's request; and (6) the method for accepting the individual's requests.

The 2020 amendment (Reiwa 2 amendment) added important restrictions on the use of the opt-out mechanism. The following three types of personal data are prohibited from being provided to third parties via opt-out. First, sensitive personal information — information such as race, creed, medical history, and criminal record that may give rise to unjust discrimination cannot be provided via opt-out. Second, personal data obtained through illicit means. Third, personal data obtained from other business operators via opt-out. This third restriction is called the "prohibition of double opt-out" and is intended to prevent personal data from spreading endlessly through a chain of opt-outs.

The Personal Information Protection Commission is obligated to publicly announce a list of business operators that have filed opt-out notifications (Article 27, Paragraph 4). This allows consumers to check which business operators are using the opt-out mechanism.

Article 27, Paragraph 5 provides for three types of cases where personal data formally moves externally but the recipient is not deemed a "third party." In these cases, neither consent from the individual nor the opt-out procedure is required. However, each type has its own inherent obligations and conditions.

Item 1: Outsourcing (entrustment). When the handling of personal data is outsourced in whole or in part, the contractor does not constitute a third party. For example, outsourcing salary calculation to an external labor and social security attorney, outsourcing data processing to a cloud service provider, or outsourcing the dispatch of direct mail to an external vendor are typical examples.

However, in the case of outsourcing, the outsourcing party bears an obligation under Article 25 to exercise necessary and appropriate supervision over the contractor. Specifically, the content of safety management measures must be made clear in the outsourcing contract, and the outsourcing party must understand the handling situation at the contractor. If the contractor causes a data breach, the outsourcing party that neglected its supervision obligation may also be held responsible.

Item 2: Business succession. When a business is succeeded through a merger, company split, business transfer, or similar event, personal data transfers together with the business. The successor does not constitute a third party. This is a provision to ensure business continuity and enable the smooth implementation of M&A and similar transactions.

However, the successor must handle personal data within the scope of the purpose of use prior to the succession. If personal data acquired through a merger is used for a purpose completely different from the original purpose of use, it is necessary to either obtain the individual's consent anew or go through the procedure for changing the purpose of use.

Item 3: Joint use. When personal data is used jointly with specified parties, those joint-use parties do not constitute a third party. Sharing customer data among group companies or sharing information among industry peers are typical examples.

To carry out joint use, the following five matters must be notified to the individual in advance, or placed in a state where the individual can easily learn of them: (1) that joint use will take place; (2) the categories of personal data to be jointly used; (3) the scope of the parties who will jointly use the data; (4) the purpose of use by those parties; and (5) the name and address of the party responsible for managing the personal data, and in the case of a corporation, the name of its representative.

For exam preparation regarding restrictions on third-party provision, the following points should be firmly mastered. Memorize all exception grounds under Article 27, Paragraph 1, and link them with concrete examples. Be able to accurately enumerate the six notification items for opt-out and the five announcement items for joint use. The restrictions added by the 2020 amendment (sensitive personal information, illicit acquisition, and double opt-out) are tested frequently. Understand the three types of cases that do not constitute a "third party" and the differences in the responsibility structure for each.