課題Ⅰ 第１編 個人情報保護の法体系と各種認定制度

The international starting point for personal information protection is the "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data" adopted by the Organisation for Economic Co-operation and Development (OECD) in 1980. These guidelines established the following eight principles: (1) Collection Limitation Principle: personal data should be collected by lawful and fair means, with the consent of the data subject. (2) Data Quality Principle: data should be kept accurate, complete, and up-to-date within the scope necessary for the purpose of use. (3) Purpose Specification Principle: the purpose of use should be clarified at the time of collection. (4) Use Limitation Principle: data should not be used for purposes other than those specified. (5) Security Safeguards Principle: reasonable security safeguards should be taken. (6) Openness Principle: policies regarding data should be disclosed. (7) Individual Participation Principle: data subjects have the right to access, correct, and delete their own data. (8) Accountability Principle: data controllers bear responsibility for compliance with the above principles.

The OECD 8 Principles are a recommendation without legal binding force, but they became the foundation for personal information protection legislation in countries around the world. Japan's Personal Information Protection Act also has a structure reflecting these 8 principles. For example, the Collection Limitation Principle corresponds to proper acquisition under Article 17, the Purpose Specification Principle corresponds to specification of purpose of use under Article 17(1), and the Security Safeguards Principle corresponds to safety management measures under Article 23. Because the exam may ask "which OECD principle corresponds to which article of Japanese law," the names and content of all 8 principles should be memorized accurately.

In 1995, the EU adopted the "Data Protection Directive" (Directive 95/46/EC). This directive introduced the mechanism of adequacy decisions, which in principle prohibit the transfer of personal data to third countries that do not have a sufficient level of protection, urging countries to develop their legislation. In 2018, the "General Data Protection Regulation" (GDPR) came into force as its successor. The GDPR is a regulation directly applicable in all EU member states and has extraterritorial application provisions, meaning it also affects Japanese companies that handle personal data of individuals within the EU. Penalties for violations are stipulated as the higher of up to 4% of worldwide annual revenue or 20 million euros, making it extremely strict.

On January 23, 2019, the mutual adequacy decision between Japan and the EU (Japan-EU mutual recognition) took effect. This made Japan one of the countries that received an adequacy decision under Article 45 of the GDPR, allowing the transfer of personal data from within the EU to Japan in principle. At the same time, Japan's Personal Information Protection Commission also recognized the EU as a valid transfer destination for personal data. However, when Japanese business operators receive data from the EU, they must comply with "Supplementary Rules." The Supplementary Rules require expanding the scope of special care-required personal information to be equivalent to GDPR's "special category data," abolishing the retention period limitation for retained personal data, and adding extra conditions for the handling of anonymously processed information.

Japan's personal information protection legal system has developed in stages. In 1988, the "Act on the Protection of Personal Information Held by Administrative Organs in Computer Processing" was enacted targeting administrative organs. This covered only personal information processed by computers at administrative organs and did not include private-sector business operators. The Personal Information Protection Act enacted in 2003 (fully enforced in 2005) was a comprehensive law covering private-sector business operators, establishing basic principles (Chapter 1) and obligations of private-sector business operators (Chapter 4). However, initially there was a "5,000 record requirement," and small-scale business operators handling 5,000 or fewer personal information records were excluded from application.

The 2015 amendment (fully enforced in 2017) was a major overhaul. The main amendments were as follows. First, the establishment of the Personal Information Protection Commission. Previously, each ministry supervised its jurisdictional industry under a "joint jurisdiction" system, but this was unified into an independent supervisory authority. Second, the creation of "special care-required personal information." This includes race, creed, social status, medical history, criminal record, and crime victimization information, and obtaining such data now in principle requires the consent of the individual. Third, the creation of the "anonymously processed information" system. Fourth, the abolition of the 5,000-record requirement made all business operators subject to the law. Fifth, the definition of personal information was clarified, and "personal identification codes" were newly established.

The 2020 amendment (enforced April 2022) further strengthened individual rights. The requirements for the right to request suspension of use and deletion were relaxed—previously limited to cases of "use beyond the purpose" or "improper acquisition," they now also apply when "the rights or legitimate interests of the individual are likely to be harmed." Additionally, "pseudonymously processed information" was created—a category with a lower degree of processing than anonymously processed information, introduced for use limited to internal analysis. Breach reporting was made mandatory, requiring reporting to the Personal Information Protection Commission and notification to the individual (in certain cases such as leakage of special care-required personal information or leakage exceeding 1,000 records). Furthermore, statutory penalties were raised (maximum fine of 100 million yen for corporations).

The 2021 amendment (enforced April 2022) is called the "Three-Law Integration" and achieved the unification of the personal information protection legal system. Previously, three separate laws coexisted: (1) the Personal Information Protection Act (private sector), (2) the Administrative Organs Personal Information Protection Act, and (3) the Incorporated Administrative Agencies Personal Information Protection Act. These were integrated into a single law. Local public entities (municipalities) were also brought under the Personal Information Protection Act, and nationwide uniform rules became applicable (enforced April 2023).

The current Personal Information Protection Act consists of main provisions and supplementary provisions. The main provisions are structured as follows: Chapter 1 "General Provisions" (purpose and definitions), Chapter 2 "Responsibilities of the National and Local Public Entities," Chapter 3 "Measures Related to Personal Information Protection," Chapter 4 "Obligations of Personal Information Handling Business Operators" (the chapter most tested on the exam), Chapter 5 "Obligations of Administrative Organs," Chapter 6 "Personal Information Protection Commission," Chapter 7 "Miscellaneous Provisions," and Chapter 8 "Penal Provisions." As subordinate norms below the law, the Cabinet Order (Enforcement Order) is enacted by the Cabinet based on delegation from the law, and the Enforcement Rules are determined by the Personal Information Protection Commission. Guidelines are positioned further below, providing detailed practical interpretations.

The Personal Information Protection Commission is an independent administrative commission (a so-called "Article 3 Commission"), an external bureau of the Cabinet Office, inaugurated in January 2016. It is composed of a total of 9 persons: 1 chairperson and 8 members. The chairperson and members are appointed by the Prime Minister with the consent of both houses of the Diet. The term of office is 5 years. Independence is extremely emphasized, and independence in the exercise of authority is guaranteed by law. Main powers include: (1) collection of reports and on-site inspections (Article 143), (2) guidance and advice (Article 144), (3) recommendations (Article 145), and (4) orders (Article 145). Violations of orders are subject to criminal penalties.

The Personal Information Protection Commission publishes four guidelines. (1) "General Rules Edition": provides the basic interpretation of the entire law. It comprehensively explains the definition of personal information, specification of purpose of use, safety management measures, third-party provision, disclosure requests, etc. (2) "Provision to Third Parties in Foreign Countries Edition": stipulates the requirements for transferring personal data to foreign countries based on Article 28 of the law. Requirements include the consent of the individual, establishing a system conforming to standards, or transfer to a country with an equivalent level of protection to Japan. (3) "Confirmation and Record Obligations at the Time of Third-Party Provision Edition": details the obligation for both the provider and recipient to create and retain records. This was introduced in the 2015 amendment as a countermeasure against name list brokers. (4) "Pseudonymously Processed Information and Anonymously Processed Information Edition": determines processing standards, handling rules, and safety management measures. Since the exam tests the names and scope of all four guidelines, be sure you can distinguish them accurately.

The My Number Act ("Act on the Use of Numbers to Identify Specific Individuals in Administrative Procedures") is positioned as a special law to the Personal Information Protection Act. The handling of specific personal information (personal information containing My Number) is subject to stricter limitations than the Personal Information Protection Act. The scope of My Number use is legally limited to three fields: social security, taxation, and disaster countermeasures, and use beyond the purpose is prohibited in principle. Provision of specific personal information is also limited to cases through the Information Provision Network System. Violations are subject to heavier penalties than the Personal Information Protection Act (maximum imprisonment of up to 4 years or a fine of up to 2 million yen).

Other related laws are also frequently tested on the exam. The "Unauthorized Access Prohibition Act" prohibits unauthorized acts using another person's identification codes (ID and password) and attacks exploiting security holes. An important point to note is that the Unauthorized Access Prohibition Act only covers unauthorized access to computers that have access control functions—computers without access control functions are outside its scope. The "Unfair Competition Prevention Act" provides for the protection of trade secrets. The three requirements for trade secrets are extremely important: (a) secrecy management (being managed as a secret), (b) usefulness (being useful for business activities), and (c) non-public knowledge (not being publicly known)—all three must be satisfied.

The "Telecommunications Business Act" is an important law establishing the protection of communications secrecy. Article 4 provides that the secrecy of communications must not be violated, with violations subject to imprisonment or fines. The 2022 amendment added regulations on the external transmission of user information (so-called "Cookie regulations"). The Criminal Code's provisions on unauthorized electromagnetic records (Articles 168-2 and 168-3) punish the creation, provision, and use of computer viruses. The "Act on Regulation of Transmission of Specified Electronic Mail" (Specified Electronic Mail Act) adopts an opt-in method and prohibits the sending of advertising emails without prior consent.

The Privacy Mark (P-Mark) system is a certification system based on JIS Q 15001:2023 "Personal Information Protection Management System—Requirements." The Japan Institute for Promotion of Digital Economy and Community (JIPDEC) operates the entire system, with examinations conducted by JIPDEC or designated examination bodies. The target is business operators with domestic activity bases (on a corporate unit basis), and it cannot be obtained by individuals or department-level units. The validity period is 2 years, and for renewal, the application must be submitted between 8 months and 4 months before the expiration of the validity period. P-Mark certified business operators are obligated to build and operate a Personal Information Protection Management System (PMS) and conduct education for all employees, internal audits, and management reviews.

The ISMS (Information Security Management System) conformity assessment system is a certification system based on the international standard ISO/IEC 27001 (domestic standard JIS Q 27001). It requires building a mechanism to maintain and improve the three elements of information security (Confidentiality, Integrity, and Availability: CIA). ISMS emphasizes continuous improvement based on the PDCA (Plan-Do-Check-Act) cycle, identifying organization-specific risks through risk assessment and taking countermeasures. The certification scope can be obtained for specific departments or service units of an organization (a major difference from P-Mark). The validity period is 3 years, with annual maintenance audits (surveillance). Certification is performed by third-party organizations accredited by accreditation bodies (in Japan, ISMS-AC: Information Security Management System Accreditation Center).

The difference between P-Mark and ISMS is one of the most frequently tested themes on the exam. Scope: P-Mark specializes in personal information protection, while ISMS covers information security as a whole (not limited to personal information). Compliance standard: P-Mark complies with JIS Q 15001 (domestic standard), while ISMS complies with ISO/IEC 27001 (international standard). Certification unit: P-Mark applies to the entire corporation, while ISMS can be obtained at the department or service unit level. Validity period: P-Mark is 2 years, ISMS is 3 years. Operating body: P-Mark is operated by JIPDEC, while ISMS is certified by multiple certification bodies accredited by ISMS-AC. Audit frequency: P-Mark has renewal audits only every 2 years, while ISMS has annual maintenance audits plus renewal audits every 3 years. International validity: P-Mark is valid only within Japan, while ISMS is internationally recognized.

Other certification and accreditation systems include the following. TRUSTe is a certification system for privacy protection on websites, focusing primarily on the handling of personal information online. SOC 2 (Service Organization Control 2) is a system for evaluating the internal controls of cloud service providers and others, based on five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. ISO/IEC 27701 is an international standard that specifies a Privacy Information Management System (PIMS) as an extension of ISO/IEC 27001, potentially serving as a bridge between ISMS and P-Mark. While the exam focuses mainly on the comparison between P-Mark and ISMS, it is also good to understand the names and overviews of these systems.

The Japan-EU mutual recognition formed the world's largest data circulation sphere. Under this framework, Japan's Personal Information Protection Commission formulated the "Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU Based on an Adequacy Decision." On the exam, questions may ask about the year the Japan-EU mutual recognition took effect (2019), the existence of supplementary rules, and the meaning of an adequacy decision (that the free transfer of personal data becomes possible).