課題Ⅰ 第９編 実効性を担保する仕組み等

The Act on the Protection of Personal Information prepares a multi-layered mechanism to guarantee the law's effectiveness: complaint handling, administrative supervision, voluntary efforts by private organizations, and penalties. In this part, we will look at each mechanism in detail.

Under Article 40, personal information handling business operators must endeavor to process complaints about the handling of personal information appropriately and promptly. This is an "effort obligation" (努力義務) — not a legally binding duty — but neglecting complaints can lead to becoming subject to administrative guidance. Specifically, establishing complaint reception contact points, formulating complaint processing procedures, and assigning complaint processing personnel are required.

The Personal Information Protection Commission (PPC) is an independent administrative commission established to ensure the proper handling of personal information. It is established as an external bureau of the Cabinet Office and cannot receive direction or orders from other administrative agencies. This independence is extremely important for protecting personal information from political pressure.

The PPC is composed of a total of 9 members: 1 chairperson and 8 commissioners. The chairperson and commissioners are appointed by the Prime Minister with the consent of both houses of the Diet. Their term of office is 5 years. A secretariat is established to handle daily operations.

The first stage of the PPC's supervisory authority is report collection and on-site inspection (Article 146). The Commission can demand that business operators submit necessary reports and materials regarding the handling of personal information. Commission staff are also permitted to enter business operators' offices, inspect books and documents, and question related parties. Report collection and on-site inspection are means for fact-finding and do not themselves have dispositive effect.

Guidance and advice (Article 147) are the lightest supervisory measures. The Commission can provide necessary guidance and advice to business operators regarding ensuring the proper handling of personal information. They have no legal binding force and there is no direct penalty for non-compliance, but in practice it is rare for business operators to ignore them.

A recommendation (Article 148) is a measure one step heavier than guidance and advice. When a personal information handling business operator has violated its obligations, the Commission can recommend that it cease the violation and take other necessary corrective measures. Recommendations also lack legal binding force, but they may be made public and can impact a business operator's social credibility.

An order (Article 148, paragraph 3) is a legally binding measure issued when a recommendation is not complied with. Violation of an order is subject to criminal penalties. Furthermore, as an urgent order (Article 148, paragraph 2), when there is an urgent necessity to protect the rights and interests of individuals, the Commission can issue an order directly without going through a recommendation first. This provision anticipates cases such as large-scale data leakage incidents where there is no room to go through the normal step-by-step process.

Certified personal information protection organizations (Articles 47-56) are a system for promoting the protection of personal information through voluntary private sector efforts. Private organizations that have received PPC certification handle complaint processing, provision of information, and the creation and publication of personal information protection guidelines for target business operators.

There are three main duties of certified organizations. First, processing complaints regarding the handling of personal information by target business operators. Second, provision of information regarding ensuring proper handling of personal information. Third, creation of personal information protection guidelines.

Personal information protection guidelines are rules for handling personal information tailored to the characteristics of each industry. When creating guidelines, certified organizations must endeavor to hear the opinions of persons representing consumers and other related parties. Created guidelines are notified to the PPC, and the PPC publishes them. Target business operators must endeavor to comply with the guidelines.

The penalties under the Act on the Protection of Personal Information are stipulated in Articles 176 through 185. Imprisonment and fines are established in stages according to the seriousness of the violation. Below, we will review the main penalties.

Article 176: A person who violates an order from the Personal Information Protection Commission is punished by imprisonment of up to one year or a fine of up to one million yen. This is the heaviest criminal penalty among the penalty provisions.

Article 177: A person who provides a personal information database for the purpose of seeking improper profit is punished by imprisonment of up to one year or a fine of up to 500,000 yen. Article 178: A person who acquires a personal information database by means of theft, fraud, etc. for the purpose of seeking improper profit receives the same punishment. Remember: Article 177 covers improper provision, Article 178 covers improper acquisition.

Article 179: A person who fails to report or makes a false report in response to the PPC's report collection, or who refuses, obstructs, or evades an on-site inspection, is punished by a fine of up to 500,000 yen. There is no imprisonment — only a fine.

The dual punishment provision of Article 184 is extremely important. When a corporation's representative, agent, employee, or other worker commits a violation, not only is the individual perpetrator punished, but the corporation is also fined. In particular, for violations of Article 176 (order violation) and Article 177 (improper provision), corporations face fines of up to 100 million yen.

In this way, the effectiveness of the Act on the Protection of Personal Information is guaranteed by four layers: complaint handling by business operators themselves (Art. 40), graduated supervision by the PPC (Art. 146-148), self-regulation by certified organizations (Art. 47-56), and penalties (Art. 176-185). On the exam, article numbers, fine amounts, and the order of supervisory measures are frequently tested.