課題Ⅰ 第３編① 利用目的の特定・変更と利用目的による制限、不適正な利用の禁止

Article 17, Paragraph 1 of the Act on the Protection of Personal Information stipulates that business operators handling personal information must "specify as much as possible" the purpose of use when handling personal information. Crucially, "as much as possible" is not a best-effort obligation but a legal duty. The purpose must be specific enough that the individual can reasonably predict and foresee how their personal information will be used. The General Rules Guidelines (Section 3-1-1) require that the purpose of use not be specified merely in abstract or general terms, but to the degree that the individual can generally and reasonably envision what business and for what purpose their information will ultimately be used.

Examples of insufficient purpose specifications include statements like "for use in business activities," "for improvement of customer service," or "for utilization in sales activities." These are too vague for the individual to predict how their information will be used, and are therefore judged as insufficient specification. These are "bad examples" that frequently appear on the exam.

Examples of appropriate purpose specifications include "for shipping of products," "for implementation of after-sales service," "for notification regarding new products and services," and "for communication and management of recruitment selection." The key point is that the level of specificity must be enough for the individual to concretely understand "Ah, so this company will use my information in this way." Additionally, when there are multiple purposes of use, each must be enumerated individually.

The General Rules Guidelines (3-1-1) provide further detailed standards regarding the degree of specification. For example, merely listing the company's prescribed business purposes alone may not constitute sufficient "specification." It is necessary to describe the business content together with the purpose of use, clearly indicating how information will be used in which business. Furthermore, if the purpose of use includes providing personal information to third parties, this must also be specified as part of the purpose of use.

When changing the purpose of use, under Article 17, Paragraph 2, the change can only be made within "a scope that is reasonably recognized as related to the original purpose of use." This provision was relaxed by the 2015 amendment. Before the amendment, the stricter requirement was "considerable relevance" (相当の関連性), but the current law uses the expression "reasonably recognized as related," slightly expanding the permissible scope of change.

To illustrate with a concrete example, changing "shipping of products" to "shipping of products and notification of related products" can be considered reasonably related. However, changing "shipping of products" to "sale of personal data to third parties" is a completely different nature of use and is not permitted. On the exam, questions are posed that compare the before and after purposes of use and require you to judge whether the change is within a reasonable scope.

When the purpose of use is changed, under Article 21, Paragraph 3, the changed purpose must be notified to the individual or publicly announced. An important point to note is that consent of the individual is NOT required for the change. As long as the change is within the scope of reasonable relevance, notification or public announcement alone suffices, and consent-obtaining procedures are unnecessary. However, if you wish to make a change that exceeds reasonable relevance, you must obtain the individual's consent anew.

Article 18 provides that a business operator handling personal information must not handle personal information beyond the scope necessary to achieve the specified purpose of use without obtaining the prior consent of the individual. This is the so-called "restriction on use outside the purpose." Importantly, the wording "in advance" (あらかじめ) means consent must be obtained beforehand — consent obtained after the fact is, in principle, insufficient.

Here it is necessary to precisely understand the meaning of "consent." Consent is an indication of the individual's will accepting that their personal information will be handled in the manner indicated by the business operator. It can be given in writing, orally, or electronically (email, web form, etc.). However, mere silence or inaction is NOT recognized as consent. For example, sending a notice saying "Please contact us by X date if you do not consent" and deeming no reply as consent is not permitted.

Article 18, Paragraph 3 enumerates exceptions where use beyond the purpose is permitted without consent. First, when based on laws and regulations. For example, creating withholding tax slips based on the Income Tax Act, providing information to investigative authorities under a court warrant, or responding to inquiries from bar associations (Article 23-2 of the Attorneys Act).

The second exception is when necessary for the protection of a person's life, body, or property, and obtaining consent is difficult. A typical example is sharing an employee's emergency contact information with their family for safety confirmation during a disaster. The third exception is when especially necessary for improving public health or promoting the sound upbringing of children, and obtaining consent is difficult. Examples include epidemiological investigations of infectious diseases, and information sharing between relevant institutions for the prevention of child abuse.

The fourth exception is when cooperation is necessary for a national institution, local public body, or their entrusted party to carry out duties prescribed by law, and obtaining consent would risk impeding the execution of those duties. Examples include cooperating with tax investigations and responding to statistical surveys. Note that this exception has the additional requirement that "obtaining consent would risk impeding the execution of duties."

The 2020 amendment (enforced April 2022) added a fifth exception related to academic research. Specifically, this applies when academic research institutions and similar entities need to handle personal information for the purpose of academic research. This amendment revised the previous arrangement where academic research institutions were partially exempt from the Act, reorganizing it so that exceptions are established for each individual obligation provision.

When personal information is transferred through business succession (merger, company split, business transfer, etc.), the successor business operator must use the personal information only within the scope of the purpose of use established before the succession. In other words, if Company A absorbs Company B through a merger, Company A is bound by the purpose of use that Company B had established. If Company A wishes to use the data for its own purposes, it must obtain the individual's consent anew.

Article 19 is a provision newly established by the 2020 amendment (enforced April 2022). This provision did NOT exist in the law prior to the amendment. Its content is that business operators handling personal information must not use personal information in a manner likely to promote or induce illegal or unjust acts. The background for this new provision is that advances in technology have diversified the modes of fraudulent use of personal information.

The most significant feature of Article 19 is that it applies even to use that is within the scope of the stated purpose. While Article 18 restricts use outside the purpose, Article 19 prohibits use that leads to illegal or unjust acts even when within the purpose. In other words, Articles 18 and 19 are complementary, and this provision clarifies that "just because use is within the purpose does not mean anything goes."

The specific examples of improper use indicated by the guidelines are as follows. Providing personal information to organizations or individuals who engage in discriminatory treatment. Creating blacklists by consolidating bankrupt persons' information and using them for discriminatory lending decisions. Providing the whereabouts information of a target person to facilitate stalking. Providing personal information for the purpose of promoting the activities of organized crime groups. Publishing information about bankrupts subject to a court publication order on the internet to use for harassment.

In practice, specifying and managing the purpose of use is the foundation of personal information protection. The purpose of use must be specifically stated in the privacy policy, and the individual must be notified or it must be publicly announced at the time of acquisition. It is indispensable to disseminate the prohibition of use outside the purpose and the prohibition of improper use to employees through internal training, and to establish a framework for regularly auditing usage.