課題Ⅰ 第２編 個人情報保護法の目的・基本理念と用語の定義

The Personal Information Protection Act was enacted against the backdrop of the remarkable expansion in the use of personal information accompanying the advancement of the information and communication society. Article 1 establishes the purpose of this law. It stipulates that, taking into account that the proper and effective utilization of personal information contributes to the creation of new industries and the realization of a vibrant economy and society, the law protects the rights and interests of individuals while giving consideration to the usefulness of personal information.

The most important point for the exam is that this is NOT a law solely about protecting personal information. Article 1 expressly states "while giving consideration to the usefulness of personal information," meaning the legislative intent is to strike a BALANCE between protection and utilization. Specifically, three pillars are stated: protection of individual rights and interests, consideration for the usefulness of personal information, and proper handling of personal information.

Article 3 establishes the fundamental principle. Personal information should be handled carefully under the principle of respect for individual personality, and its proper handling must be ensured. An important point to note is that Article 3 is a philosophical principle provision and does NOT impose specific obligations. Specific obligations on business operators are stipulated from Chapter 4 onward. This principle is the fundamental concept that permeates the entire law and serves as a guideline when interpreting other articles.

Personal information is defined in Article 2, Paragraph 1. It is information relating to a living individual, and there are two types: (a) information that can identify a specific individual by name, date of birth, or other descriptions contained in the information (description type), and (b) information that contains a personal identification code (personal identification code type). An important point is that it is limited to "living" individuals. Information about deceased persons is in principle excluded, but if information about a deceased person can simultaneously identify a living bereaved family member, it falls under personal information. Also, a name alone qualifies as personal information, but a date of birth alone does not because it cannot identify a specific individual. A combination of date of birth + name does qualify.

Personal identification codes are defined in Article 2, Paragraph 2, and are divided into two types. Type 1 (Item 1) covers codes converted from bodily characteristics for computer processing. Specifically, there are 7 types: DNA, fingerprint, iris, voiceprint, gait pattern, vein pattern, and facial features (bone structure, skin color, eyes, nose, mouth, etc.). Type 2 (Item 2) covers numbers and symbols assigned to individuals. Specifically: passport number, basic pension number, driver's license number, My Number (individual number), resident certificate code, health insurance insured person number, residence card number, special permanent resident certificate number, and others. Mobile phone numbers and email addresses do NOT qualify as personal identification codes.

Special care-required personal information is defined in Article 2, Paragraph 3. It requires particular care in handling to prevent unjust discrimination, prejudice, or other disadvantage. All categories enumerated in the law and government ordinance are: (1) race, (2) creed (including religion and ideology), (3) social status, (4) medical history, (5) criminal record (history of finalized guilty verdicts), (6) fact of having suffered harm from a crime (victim information), (7) having a physical, intellectual, or mental disability, (8) results of health examinations, (9) receiving medical guidance, treatment, or dispensing by a doctor, (10) criminal procedures such as arrest or search having been carried out, (11) juvenile protection case procedures having been carried out.

Acquisition of special care-required personal information requires, in principle, the consent of the person (Article 20, Paragraph 2). This is stricter handling than ordinary personal information. While ordinary personal information acquisition only requires notification or publication of the purpose of use, special care-required personal information requires obtaining the person's consent in advance.

A personal information database, etc. is defined in Article 16, Paragraph 1. It is a collection of information containing personal information that is systematically organized so that specific personal information can be searched. It covers not only electronic computer databases but also paper-based media, provided they are organized for easy searching via a table of contents, index, symbols, etc. However, items with a low risk of harming individual rights and interests considering their method of use are excluded. Exclusion examples prescribed by government ordinance include commercially available telephone directories and car navigation map software.

Personal data is defined in Article 16, Paragraph 3 as personal information that constitutes a personal information database, etc. In other words, scattered personal information is "personal information" but does NOT become "personal data." It only becomes "personal data" once it is entered and organized in a database. This distinction is extremely important. Many obligations such as security management measures (Article 23) and restrictions on third-party provision (Article 27) apply from the "personal data" level.

Retained personal data is defined in Article 16, Paragraph 4 as personal data over which a personal information handling business operator has the authority to disclose, correct, add to, delete, suspend use of, erase, and suspend provision to third parties. A major change occurred with the amended law enforced in 2022. Under the old law, data scheduled for erasure within 6 months was excluded from retained personal data, but this 6-month exclusion requirement was abolished by the amendment. Even short-term stored data now qualifies as retained personal data and is subject to disclosure, correction, and use suspension requests from the individual.

A personal information handling business operator is defined in Article 16, Paragraph 2 as an entity that uses a personal information database, etc. for business purposes. Before the 2015 amendment, only entities that handled more than 5,000 personal information items within the past 6 months were subject. This 5,000-item requirement was abolished by the 2015 amendment (enforced 2017), and all business operators that use personal information databases for business are now subject. This includes small-scale operators, sole proprietors, NPOs, neighborhood associations, alumni associations, etc. However, national agencies, local public organizations, and independent administrative corporations are excluded (separate provisions in Chapter 5 apply to them).

Pseudonymized information is defined in Article 2, Paragraph 5 as information processed from personal information so that a specific individual cannot be identified unless cross-referenced with other information. It was newly established by the 2020 amendment (enforced 2022). Its purpose is to promote internal data analysis and statistical use by business operators. Key characteristics: third-party provision is prohibited in principle; use for contacting the person is prohibited; cross-referencing to restore the original personal information (re-identification) is prohibited; however, technically restoration IS possible because the additional information for cross-referencing still exists. It is exempt from disclosure, correction, and use suspension requests, and restrictions on changing the purpose of use are relaxed.

Anonymized processed information is defined in Article 2, Paragraph 6 as information processed from personal information so that a specific individual cannot be identified AND the original personal information cannot be restored. It was introduced by the 2015 amendment. The greatest characteristic is its irreversibility — restoration to the original personal information is impossible by design. Third-party provision IS possible, and it was established to promote big data utilization. There is an obligation to follow processing standards when creating it, and an obligation to publicize the items of information contained when providing it.

Personal-related information is defined in Article 2, Paragraph 7 as information relating to a living individual that does not fall under personal information, pseudonymized information, or anonymized processed information. Specifically, this includes cookie information, browsing history, purchasing history, location data, device identification IDs, etc. It envisions cases where the information source cannot identify the individual, but the information becomes personal data at the destination when linked with other information. When it is expected that such information will become personal data at the recipient, the source has an obligation to confirm that the person's consent has been obtained (Article 31). This concept was newly established by the 2020 amendment, with provisions designed with DMP (Data Management Platform) cookie linking in mind.

Articles 4 through 13 stipulate the duties and policy measures of the national government and local public organizations. The national government bears the duty to comprehensively formulate and implement policy measures regarding the proper handling of personal information (Article 4). Local public organizations bear the duty to formulate and implement policy measures suited to the characteristics of their area, in accordance with national policy measures (Article 5).

The following specific national policy measures are stipulated: Legal measures, etc. (Article 6): development of necessary laws and systems. Awareness-raising activities (Article 9): education and publicity activities for citizens. Measures for complaint handling (Article 10): development of systems for appropriate and prompt complaint handling. International cooperation (Article 8): cooperation with international efforts regarding personal information protection. Measures to ensure proper handling of personal information (Articles 11-13).

The Personal Information Protection Commission plays an important role as the independent agency that centrally manages these policy measures. Established as an external bureau of the Cabinet Office, it has supervisory authority (report collection, on-site inspection, guidance, advice, recommendation, orders). Its authority was strengthened by the 2015 amendment, consolidating supervisory authority previously held by various ministries.