Definition of personal data

Only certain forms of personal information fall within the notion of "personal data" under the APPI. In fact, "personal data" is defined as "personal information constituting a personal information database", i.e. a "collective body of information" comprising personal information "systematically organized so as to be able to search for particular personal information using a computer" (17) or "prescribed by cabinet order as having been systematically organized so as to be able to easily search for particular personal information" but "excluding those prescribed by cabinet order as having little possibility of harming an individual's rights and interests considering their utilization method" (18).

This exception is further specified in Article 3(1) of the Cabinet Order, according to which the three following cumulative conditions must be fulfilled: (i) the collective body of information must have been "issued for the purpose of being sold to a large number of unspecified persons and the issuance of which has not been conducted in violation of the provisions of a law or order based thereon"; (ii) must be capable of being "purchased at any time by a large number of unspecified persons" and (iii) the personal data contained therein must be "provided for their original purpose without adding other information relating to a living individual". According to the explanations received from the PPC, this narrow exception was introduced with the aim of excluding telephone books or similar types of directories.

For data collected in Japan, this distinction between "personal information" and "personal data" is relevant because such information may not always be part of a "personal information database" (for example, a single data set collected and processed manually) and therefore those provisions of the APPI that only relate to personal data will not apply (19).

By contrast, this distinction will not be relevant for personal data imported from the European Union to Japan on the basis of an adequacy decision. As such data will typically be transferred by electronic means (given that in the digital era this is the usual way of exchanging data, especially over a large distance as between the EU and Japan), and hence become part of the data importer's electronic filing system, such EU data will fall into the category of "personal data" under the APPI. In the exceptional case that personal data would be transferred from the EU by other means (e.g. in paper form), it will still be covered by the APPI if following the transfer it becomes part of a "collective body of information" systematically organised so as to allow easy search for specific information (Article 2(4)(ii) APPI). According to Article 3(2) of the Cabinet Order, this will be the case where the information is arranged "according to a certain rule" and the database includes tools such as for instance a table of contents or index to facilitate the search. This corresponds to the definition of a "filing system" within the meaning of Article 2(1) of the GDPR.