This section outlines the Japanese government's interpretation of the definition of "personal information." [1] This interpretation is based on the "Guidelines for the Personal Information Protection Act (General Provisions)" .(hereinafter referred to as "Guidelines") published by the Personal Information Protection Commission and the "Q&A regarding the 'Guidelines for the Personal Information Protection Act'"[2] .(hereinafter referred to as "Q" and expressed as "Q1-1") [3].
Note that "Personal Identification Codes" (Article 2, Paragraph 1, Item 2) will be discussed separately.
1. Administrative Interpretation
(1) Criteria for Determining Personal Identifiability
According to the Personal Information Protection Commission's view, "being able to identify a specific individual" in the definition of personal information means "being able to recognize, based on social common sense and with the judgment and understanding of an ordinary person, the identity between a living specific person and information" (Q1-1).
What is important in this judgment criterion is the government's view that even if there is a possibility of people with the same name existing, a name alone can constitute personal information as something that "can identify a specific individual based on social common sense" (Q1-2). This indicates that the criterion is based on identifiability according to social common sense, rather than complete uniqueness.
Terminology Distinctions in the Personal Information Protection Act
In the Personal Information Protection Act, terminology is strictly distinguished, with terms such as "personal information," "sensitive personal information," "personal data," "retained personal data," "personal related information," "pseudonymized information," and "anonymously processed information" being used distinctly. It should be noted that the obligations imposed on personal information handling business operators differ for each category (Guidelines 2-1 Note 1).
(2) Specific Examples of Personal Information
The Guidelines present the following specific examples of what constitutes personal information:
Basic personal identification information includes the person's name (Guidelines 2-1 Example 1). Information combining birth date, contact information (address, residence, telephone number, email address), and information about position or affiliation at a company with the person's name also constitutes personal information (Guidelines 2-1 Example 2).Regarding video and audio information, video information recorded by security cameras where the person can be identified (Guidelines 2-1 Example 3) and audio recording information that can identify a specific individual due to reasons such as containing the person's name (Guidelines 2-1 Example 4) are considered personal information.
Electronic identification information (computer-processed information) includes email addresses that can identify specific individuals (such as kojin_ichiro@example.com, where even if only the email address is provided, it can be understood to be the email address of Kojin Ichiro belonging to Example Company) (Guidelines 2-1 Example 5).
Dynamic personal information status is shown as an important concept: personal information related to an individual that is added to information after acquisition (even if a living specific individual could not be identified at the time of acquisition, if new information is added or cross-referenced after acquisition and a living specific individual can be identified as a result, it constitutes personal information at that point) (Guidelines 2-1 Example 6). Regarding public information, information that can identify specific individuals made public through official gazettes, telephone directories, staff directories, legally required disclosure documents (securities reports, etc.), newspapers, websites, SNS (Social Networking Services), etc., is considered personal information (Guidelines 2-1 Example 7).
(3) Dynamic Personal Information Status
A characteristic feature of the government's view is the dynamic interpretation that personal information status is not fixedly determined at the time of acquisition (Guidelines 2-1 Example 6). This interpretation enables flexible responses based on the premise that personal identifiability changes due to information accumulation and technological advancement.
2 Easily Cross-Referenceable Personal Information
— Adoption of Provider Standard in Determining Easy Cross-Referenceability with Other Information
Regarding the determination of whether information "can be easily cross-referenced with other information," the government requires individual case-by-case judgment based on business operators' actual circumstances rather than formal criteria. Specifically, it states that "while it should be judged case by case according to the actual circumstances of the business operator, it refers to a state where information can be easily cross-referenced with other information using general methods in ordinary business operations. For example, cases requiring inquiries to other business operators where cross-referencing is difficult are generally interpreted as states where easy cross-referencing is not possible" (Guidelines 2-1 Note 4).
Particularly important is that the government clearly adopts the "provider standard" in determining easy cross-referenceability. In the Personal Information Protection Commission's "Personal Information Protection Act So-called Triennial Review System Reform Outline" (December 13, 2019), the government explicitly states:"When providing information externally, even if the provided portion alone does not constitute personal information, if the business operator providing the information 'can easily cross-reference it with other information, thereby making it possible to identify a specific individual,' the provider is required to provide such information appropriately under management as personal information. This is based on the fundamental concept of primarily imposing obligations to protect individual rights and interests on business operators who have acquired personal information, even if the recipient cannot recognize it as personal information. This requires providers to treat such information as personal information (generally called the 'provider standard')." [4]
The Q&A addresses cases where databases are separated between departments within a business operator, stating that a state where "both handling departments or those in supervisory positions are strictly prohibited by regulations and operations from handling both databases, and information in both databases cannot be cross-referenced using general methods in ordinary business operations without special costs or effort" is interpreted as a state where "easy cross-referencing is not possible." Conversely, a state where "information in both databases can be cross-referenced using general methods in ordinary business operations" is recognized as having easy cross-referenceability (Q1-18).
Furthermore, "when common identifiers (e.g., customer IDs) are assigned to information that can identify specific individuals, making it possible to reference such information together with information that can identify specific individuals within the business operator," it is interpreted as being able to easily cross-reference with other information (Q1-19).
3 Personal Information Status of Individual Information
(1) Contact Information
Regarding addresses and telephone numbers, judgment is made case by case, but when combined with other information such as "contact information (address, residence, telephone number, email address)" and the person's name (Guidelines 2-1 Example 2), if a specific individual can be identified through easy cross-referencing with other information, such information may constitute personal information as a whole (Q1-3).
Regarding email addresses, "when a specific individual can be identified from the username and domain name (e.g., kojin_ichiro@example.com)," it constitutes personal information by itself. In other cases, "when a specific individual can be identified through easy cross-referencing with other information, such information together may constitute personal information as a whole" (Guidelines 2-1 Example 5, Q1-4).(2) Public Information
An important characteristic of the government's view is that the public nature of information does not negate its status as personal information. Regarding "personal information already published in newspapers or the Internet," it is clarified that "even if information is publicly known, depending on its purpose of use and manner of handling such as cross-referencing with other personal information, it may lead to infringement of individual rights and interests. Therefore, the Personal Information Protection Act treats already published information as subject to protection without distinguishing it from other personal information" (Guidelines 2-1 Example 7, Q1-5).
(3) Audio and Video Information
As a view considering technological advancement, regarding call content, "when it is possible to identify a specific individual from call content, it constitutes personal information" (Guidelines 2-1 Example 4, Q1-10).
On the other hand, it is generally not possible to identify specific individuals from call content, and recording records basically do not constitute personal information. However, if they can be easily cross-referenced with other information and thereby identify a specific individual, they may constitute personal information as a whole together with such information, requiring case-by-case judgment (Q1-11).
Additionally, the view states that "when characteristic information is extracted from recorded audio and converted into data that can authenticate the person using speaker recognition systems or other devices and software for the purpose of authenticating the person, such data constitutes personal identification codes and constitutes personal information by itself" (Q1-11).
Regarding camera images, attribute information such as gender and age, or movement trajectory data (people flow data) in stores created by replacing with full-body silhouette images, etc., alone do not constitute personal information except when they can be easily cross-referenced with information that can identify specific individuals such as source camera images or personal identification codes. Specific judgment criteria for the personal information status of processed information are provided (Q1-12, see Guidelines 2-1 Example 3 "Video information where the person can be identified").
(4) Others (Views on Special Cases)
Regarding "nicknames" and "IDs" in online games, even if they are publicly available, they usually cannot identify specific individuals and therefore do not constitute personal information. However, "nicknames" or "IDs" may be easily cross-referenced with other information held by the operator to identify specific individuals, and in such cases, they may constitute personal information. Additionally, in exceptional cases where specific individuals can be identified from nicknames or IDs (famous nicknames, etc.), they constitute personal information (Q1-9).Regarding machine learning, "trained parameters (weight coefficients) generated using multiple individuals' personal information as training datasets for machine learning are processing/calculation coefficients adjusted to produce specific outputs in trained models. As long as the correspondence between such parameters and specific individuals is excluded, they do not constitute 'information about individuals' and therefore do not constitute 'personal information'" (Q1-8).
4 Clarification of Scope of Application
Regarding the scope of application, "individuals" are not limited to Japanese nationals but include foreigners, and "personal information handled by personal information handling business operators and administrative organs in Japan, regardless of residence or nationality, may be subject to protection under the Personal Information Protection Act" (Q1-6).
Furthermore, "since corporations and other organizations do not constitute 'individuals,' information about such organizations themselves does not constitute 'personal information' (however, information about officers, employees, etc., constitutes personal information). Note that 'individuals' include not only Japanese nationals but also foreigners" (Guidelines 2-1 Note 3). Regarding employee information (in-house information), it is clarified that even if it concerns employees, when it falls under the definition in Article 2, Paragraph 1 of the Act, it constitutes personal information and must be handled in accordance with the regulations of the same Act (Q1-20, see Guidelines 2-1 Example 2 "Information about position or affiliation at a company"). Regarding information about deceased persons, the Personal Information Protection Act limits "personal information" to information about living individuals, and information about deceased persons is not subject to protection. However, when information about deceased persons is simultaneously information about living individuals such as bereaved family members, it constitutes information about such living individuals (Guidelines 2-1 Note 2, Q1-21).5 Information Not Constituting Personal Information
Examples of information not constituting personal information include "corporate financial information and other information about corporations and other organizations themselves (organizational information)" and "statistical information (information obtained by extracting items related to common elements from multiple individuals' information and aggregating them by the same classification)" (Q1-7). Regarding statistical information, it is clarified that "as long as correspondence with specific individuals is excluded, it does not constitute 'information about individuals' and therefore does not constitute 'personal information'" (Q1-17).The above government views require flexible judgment adapted to technological advancement and changes in social conditions while reflecting business operators' actual circumstances. Particularly, the clear adoption of the provider standard demonstrates the fundamental concept of primarily imposing obligations on personal information handling business operators to protect individual rights and interests. Additionally, the strict terminology distinctions in the Personal Information Protection Act (Guidelines 2-1 Note 1) and specific examples shown in Guidelines 2-1 Examples 1 through 7 clarify practical judgment guidelines, serving as an important significance in demonstrating appropriate personal information protection in modern society.
6 Specific Operational Examples of Personal Information Handling
Note that the above mainly organizes government views regarding the definition of personal information itself, but the Q&A also provides detailed views on personal information handling in specific operational situations involving camera and video technology.
Specifically, it covers considerations for installing and using conventional security cameras (Q1-13), additional considerations when using camera systems with face recognition functions (Q1-14), obligations to obtain consent when changing from security purposes to commercial purposes (Q1-15), and determination of personal information status in extracting attribute information and delivering personalized advertisements using cameras built into electronic bulletin boards (Q1-16).These represent operational guidelines for specific obligations imposed on personal information handling business operators (specification, notification and publication of purposes of use, appropriate acquisition, restrictions on use beyond intended purposes, etc.) rather than the definition of personal information itself. However, Q1-16 particularly provides important interpretation regarding the determination of personal information status in a series of processes, stating that even if facial images are immediately deleted, it is "interpreted as handling personal information to deliver advertisements."
Footnote
[1] Personal Information Protection Commission, "Guidelines for the Personal Information Protection Act (General Provisions)," November 2016 (partially revised June 2025), "2-1 Personal Information (Related to Article 2, Paragraph 1 of the Act)," pp. 5-6. https://www.ppc.go.jp/files/pdf/250601_guidelines01.pdf
[2] Personal Information Protection Commission, "Q&A regarding the 'Guidelines for the Personal Information Protection Act'," February 16, 2017 (updated July 1, 2025), "1-1 Definitions," pp. 1-7. https://www.ppc.go.jp/files/pdf/250701_APPI_QA.pdf
[3] The Personal Information Protection Commission's Guidelines (public notices) and Q&A (reference documents) provide primary interpretative guidance by administrative agencies regarding the interpretation of the Personal Information Protection Act, functioning as important judgment criteria in practice. However, this primary judgment is not final, and the ultimate authority for legal interpretation rests with the judiciary (courts). Individual orders (administrative dispositions) by the Personal Information Protection Commission are subject to judicial review, and courts may overturn administrative decisions, which may in turn lead to changes in interpretative guidance. Furthermore, the Guidelines and Q&A are frequently revised, and the Personal Information Protection Act continues to be amended through triennial reviews. Therefore, it is necessary to constantly obtain the latest information through the Personal Information Protection Commission's website (https://www.ppc.go.jp/) and other sources.
[4] Personal Information Protection Commission, "Personal Information Protection Act So-called Triennial Review System Reform Outline" (December 13, 2019), "Section 4: Policy Approaches for Data Utilization, 4. Handling of Terminal Identifiers, etc.," p. 23. https://www.ppc.go.jp/files/pdf/seidokaiseitaiko.pdf
Copyright © 2025 Masatomo Suzuki. All Rights Reserved.
Contact: msuzuki.jura(at)niigata-u.ac.jp