Individual rights

Like EU data protection law, the APPI grants individuals a number of enforceable rights. This includes the right to access ('disclosure'), rectification and erasure as well as the right to object ('utilisation cease').

First, pursuant to Article 28(1) and (2) of the APPI, a data subject has a right to request from a PIHBO to "disclos[e] retained personal data that can identify him- or herself" and, upon receipt of such a request, the PIHBO "shall […] disclose retained personal data" to the data subject. Article 29 (right to correction) and 30 (right to utilisation cease) have the same structure as Article 28.

Article 9 of the Cabinet Order specifies that disclosure of personal information as referred to in Article 28(2) of the APPI shall be performed in writing, unless the PIHBO and the data subject have agreed otherwise.

These rights are subject to three types of restrictions, relating to the individual's own or third parties’ rights and interests (51), serious interference with the PIHBO's business operations (52) as well as cases in which disclosure would violate other laws or regulations (53). The situations in which these restrictions would apply are similar to some of the exceptions applicable under Article 23(1) of Regulation (EU) 2016/679, which allows for restrictions of the rights of individuals for reasons related to the "protection of the data subject or the rights and freedoms of others" or "other important objectives of general public interest". Although the category of cases in which disclosure would violate "other laws or regulations" may appear broad, laws and regulations providing for limitations in this regard must respect the constitutional right to privacy and may impose restrictions only to the extent that the exercise of this right would "interfere with the public welfare" (54). This requires a balancing of the interests at stake.

According to Article 28(3) of the APPI, if the requested data does not exist, or where the PIHBO concerned decides not to grant access to the retained data, it is required to inform the individual without delay.

Second, pursuant to Article 29(1) and (2) of the APPI, a data subject has a right to request the correction, addition or deletion of his/her retained personal data in the case where the data is inaccurate. Upon receipt of such a request, the PIHBO "shall […] conduct a necessary investigation" and, based on the results of such an investigation, "make a correction etc. of the contents of the retained data".

Third, pursuant to Article 30(1) and (2) of the APPI a data subject has a right to request from a PIHBO to discontinue using personal information, or to delete such information, when it is handled in violation of Article 16 (regarding purpose limitation) or has been improperly acquired in violation of Article 17 of the APPI (regarding acquisition by deceit, other improper means or, in case of sensitive data, without consent). Likewise, under Article 30(3) and (4) of the APPI, the individual has a right to request from the PIHBO to cease the provision of the information to a third party where this would violate the provisions of Article 23(1) or Article 24 of the APPI (regarding third party provision, including international transfers).

When the request is founded, the PIHBO shall without delay discontinue the use of the data, or the provision to a third party, to the extent necessary to remedy the violation or, if a case is covered by an exception (notably if the utilisation cease would cause particularly high costs) (55), implement necessary alternative measures to protect the rights and interests of the individual concerned.

Differently from EU law, the APPI and relevant sub-statutory rules do not contain legal provisions specifically addressing the possibility to oppose processing for direct marketing purposes. However, such processing will, under this Decision, take place in the context of a transfer of personal data that was previously collected in the European Union. Under Article 21(2) of Regulation (EU) 2016/679, the data subject shall always have the possibility to oppose a transfer of data for the purpose of processing for direct marketing. Moreover, as explained in recital 43, under Supplementary Rule (3), a PIHBO is required to process the data received under the Decision for the same purpose for which the data have been transferred from the European Union, unless the data subject consents to change the utilisation purpose.Hence, if the transfer has been made for any purpose other than direct marketing, a PIHBO in Japan will be barred from processing the data for the purpose of direct marketing without consent of the EU data subject.

In all cases referred to in Articles 28 and 29 of the APPI, the PIHBO is required to notify the individual about the outcome of his/her request without delay, and moreover has to explain any (partial) refusal based on the statutory exceptions provided for in Articles 27 to 30 (Article 31 of the APPI).

As regards the conditions for making a request, Article 32 of the APPI (together with the Cabinet Order) allows the PIHBO to determine reasonable procedures, including in terms of the information needed to identify the retained personal data. However, according to paragraph 4 of this Article, PIHBOs must not impose an "excessive burden on a principal". In certain cases the PIHBOs may also impose fees as long as their amount stays "within the scope considered reasonable in consideration of actual costs" (Article 33 of the APPI).

Finally, the individual may object to the provision of his/her personal information to a third party under Article 23(2) of the APPI, or refuse consent under Article 23(1) (thus preventing disclosure in case no other legal basis would be available). Likewise, the individual can stop the processing of data for a different purpose by refusing to provide consent pursuant to Article 16(1) of the APPI.

Differently from EU law, the APPI and relevant sub-statutory rules do not contain general provisions addressing the issue of decisions affecting the data subject and based solely on the automated processing of personal data. However, the issue is addressed in certain sectoral rules applicable in Japan that are particularly relevant for this type of processing. This includes sectors in which companies most likely resort to the automated processing of personal data to take decisions affecting individuals (e.g. the financial sector). For example, the "Comprehensive Guidelines for Supervision over Major Banks", as revised in June 2017, require that the concerned individual be provided with specific explanations on the reasons for the rejection of a request to conclude a loan agreement. Those rules thus offer protections in the likely rather limited number of cases where automated decisions would be taken by the "importing" Japanese business operator itself (rather than the "exporting" EU data controller).

In any event, as regards personal data that has been collected in the European Union, any decision based on automated processing will typically be taken by the data controller in the Union (which has a direct relationship with the concerned data subject) and is thus subject to Regulation (EU) 2016/679 (56). This includes transfer scenarios where the processing is carried out by a foreign (e.g. Japanese) business operator acting as an agent (processor) on behalf of the EU controller (or as a sub-processor acting on behalf of the EU processor having received the data from an EU controller that collected it) which on this basis then takes the decision. Therefore, the absence of specific rules on automated decision making in the APPI is unlikely to affect the level of protection of the personal data transferred under this Decision.