Lawfulness and fairness of processing
The additional protection referred to in recital 43 is all the more relevant as it is through the purpose limitation principle that the Japanese system also ensures that personal data is processed lawfully and fairly.
Under the APPI, when a PIHBO collects personal information, it is required to specify the purpose of utilising the personal information in a detailed manner (29) and promptly inform the data subject of (or disclose to the public) this utilisation purpose (30). In addition, Article 17 of the APPI provides that a PIHBO shall not acquire personal information by deceit or other improper means. As regards certain categories of data such as special-care required personal information, their acquisition requires the consent of the data subject (Article 17(2) of the APPI).
Subsequently, as explained in recitals 41 and 42, the PIHBO is prohibited from processing the personal information for other purposes, except where the data subject consents to such processing or where one of the derogations pursuant to Article 16(3) of the APPI applies.
Finally, when it comes to the further provision of personal information to a third party (31), Article 23(1) of the APPI limits such disclosure to specific cases, with the prior consent by the data subject as the general rule (32). Article 23(2), (3) and (4) of the APPI provide for exceptions to the requirement to obtain consent. However, these exceptions do only apply to non-sensitive data and require that the business operator in advance informs the individuals concerned of the intention to disclose their personal information to a third party and the possibility to object to any further disclosure (33).
As regards transfers from the European Union, personal data will necessarily have been first collected and processed in the EU in compliance with Regulation (EU) 2016/679. This will always involve, on the one hand, collection and processing, including for the transfer from the European Union to Japan, on the basis of one of the legal grounds listed in Article 6(1) of the Regulation and, on the other hand, collection for a specific, explicit and legitimate purpose as well as the prohibition of further processing, including by way of a transfer, in a manner that is incompatible with such purpose as laid down in Articles 5(1)(b) and 6(4) of the Regulation.
Following the transfer, according to Supplementary Rule (3), the PIHBO that will receive the data will have to "confirm" the specific purpose(s) underlying the transfer (i.e. the purpose specified pursuant to Regulation (EU) 2016/679) and further process that data in line with such purpose(s) (34). This means not only that the initial acquirer of such personal data in Japan but also any future recipient of the data (including a trustee) is bound by the purpose(s) specified under the Regulation.
Furthermore, in case the PIHBO would like to change the purpose as previously specified under Regulation (EU) 2016/679, pursuant to Article 16(1) of the APPI it would have to obtain, in principle, the consent of the data subject. Without that consent, any data processing going beyond the scope necessary for achieving that utilisation purpose would constitute a violation of Article 16(1) that would be enforceable by the PPC and the courts.
Hence, given that under Regulation (EU) 2016/679 a transfer requires a valid legal basis and specific purpose, which are reflected in the utilization purpose "confirmed" under the APPI, the combination of the relevant provisions of the APPI and of Supplementary Rule (3) ensures the continued lawfulness of the processing of EU data in Japan.