課題Ⅰ 第５編 個人関連情報に関する義務（法31条）

Personal-related information is defined in Article 2, Paragraph 7 as information relating to a living individual that does not fall under personal information, pseudonymized information, or anonymized information. The key point is that while it cannot identify a specific individual, it is still information that "relates to" an individual.

Specific examples include cookie IDs, browsing history, purchase history, location data, device information, app usage history, and interest/preference profiles. Because these cannot identify a specific individual on their own, they do not constitute "personal information" — but they carry a potential risk of identifying individuals when combined with other information.

The background to this concept being introduced into law was the "Rikunabi incident," which became a major social issue in 2019. Recruit Career, which operated the job-hunting site "Rikunabi," used AI to analyze students' cookie data and site browsing history to develop scores calculating the job-offer-decline rate (the probability a student would decline an informal job offer). These scores were sold to companies conducting recruitment activities without obtaining consent from the students themselves.

The crux of the problem was that cookie data alone did not constitute personal information, so the Personal Information Protection Act at the time had no means to regulate this practice. On Recruit Career's side, cookie IDs were not linked to individuals, but on the receiving companies' side, the data was cross-referenced with applicants' names to become personal data. The exposure of this "gap in the law" became the direct trigger for the amendment.

Based on this reflection, the 2020 amendment (enforced April 2022) newly established Article 31, creating provisions regarding the third-party provision of personal-related information. This put in place a legal framework capable of addressing cases like the Rikunabi incident.

The trigger condition for Article 31's regulation is when personal-related information is provided to a third party and it is "expected" that the third party will acquire it as personal data. In other words, the regulation applies when it is anticipated that the receiving side will cross-reference it with other information to reach a state where specific individuals can be identified.

What is important here is the interpretation of "expected." This includes not only cases where the provider actually knows, but also cases where a business operator with ordinary judgment could reasonably foresee it. For example, if the provider knows that the recipient possesses a member database, or if they use a cookie synchronization mechanism, it is naturally judged as "expected."

Under Article 31, Paragraph 1, Item 1, the providing business operator bears a duty to confirm that the receiving third party has obtained consent from the individual. The critical point to note here is that the party obtaining consent is the receiving third party, not the provider. The provider's duty is strictly one of "confirmation" that consent has been obtained.

When the receiving third party is located in a foreign country, there are additional requirements (Article 31, Paragraph 1, Item 2). In this case, the provider must also confirm that measures equivalent to Article 28 have been taken. That is, a duty is added to confirm that the foreign third party has established an appropriate protection system.

According to the guidelines' interpretation, the concept of "provision" is interpreted broadly. Data linkage through APIs, information handover through tag/cookie synchronization (cookie sync), and acts of allowing third parties to collect information through tags installed on websites can all constitute "provision" under Article 31. Regardless of the technical means, cases where personal-related information substantively transfers to a third party are subject to the regulation.

There are mainly two matters the providing business operator must confirm. First, that the receiving third party has obtained the individual's consent. Second, if the third party falls under an exception, that fact. As for the method of confirmation, it is typical to receive a declaration from the receiving party.

Additionally, the provider is also imposed with a duty to create and preserve records. The matters to be recorded are: the date of provision, the name of the receiving third party (or corporate name in the case of a corporation), and the items of personal-related information provided. The retention period follows the same framework as the third-party provision records under Article 29.

Understanding the structural difference between Article 27 (ordinary third-party provision of personal data) and Article 31 is the key to exam preparation. Under Article 27, the provider itself obtains the individual's consent. Under Article 31, the party obtaining consent is the receiver, and the provider conducts the confirmation. This difference originates from the fact that at the provider's stage, personal-related information cannot identify individuals, making it impossible for the provider to request consent from the individual in the first place.

DMP (Data Management Platform) operators are the primary target of Article 31. DMP operators accumulate large volumes of personal-related information such as website browsing history and purchase history, and provide it to third parties for purposes like advertising distribution. Because it becomes personal data when the receiving companies combine it with their own customer data, this is precisely the scenario Article 31 envisions.

Three issues frequently appear on the exam. First, the structural difference between Article 31 and Article 27 (who obtains consent). Second, the trigger for establishing this provision (the Rikunabi incident). Third, the condition under which the obligation arises (when it is "expected" that the receiving side will create personal data). Accurately grasping these points is the shortcut to passing.