(4)
The Commission has carefully analysed Japanese law and practice. Based on the findings developed in recitals 6 to 175, the Commission concludes that Japan ensures an adequate level of protection for personal data transferred to organisations falling within the scope of application of the Act on the Protection of Personal Information (5) and subject to the additional conditions referred to in this Decision. These conditions are laid down in the Supplementary Rules (Annex I) adopted by the Personal Information Protection Commission (PPC) (6) and the official representations, assurances and commitments by the Japanese government to the European Commission (Annex II).
(5)
This Decision has the effect that transfers from a controller or processor in the European Economic Area (EEA) (7) to such organisations in Japan may take place without the need to obtain any further authorisation. This Decision does not affect the direct application of Regulation (EU) 2016/679 to such organisations when the conditions of its Article 3 are fulfilled.
(10)
The two latter acts (amended in 2016) contain provisions applicable to the protection of personal information by public sector entities. Data processing falling within the scope of application of those acts is not the object of the adequacy finding contained in this Decision, which is limited to the protection of personal information by "Personal Information Handling Business Operators" (PIHBOs) within the meaning of the APPI.
(17)
The scope of application of the APPI is determined by the defined concepts of Personal Information, Personal Data and Personal Information Handling Business Operator. At the same time, the APPI provides for some important exemptions from its scope, most importantly for Anonymously Processed Personal Data and for specific types of processing by certain operators. While the APPI does not use the term "processing", it relies on the equivalent concept of "handling" which, according to the information received from the PPC, covers "any act on personal data" including the acquisition, input, accumulation, organisation, storage, editing/processing, renewal, erasure, output, utilization, or provision of personal information.
(24)
As regards the first of those two categories, it is explained in Article 4 of the Cabinet Order and covers four types of exemptions (20). These exemptions pursue similar objectives as those listed in Article 23(1) of Regulation (EU) 2016/679, notably protection of the data subject ("principal" in the terminology of the APPI) and the freedom of others, national security, public security, criminal law enforcement or other important objectives of general public interest. In addition, it results from the wording of Article 4(1)(i)-(iv) of the Cabinet Order that their application always presupposes a specific risk for one of the protected important interests (21).
(27)
Requirements applicable to anonymously processed personal information, as defined in Article 2(9) of the APPI, are stipulated in Section 2 of Chapter 4 of the Act ("Duties of an Anonymously Processed Information Handling Business Operator"). Conversely, such information is not governed by the provisions of Section 1 of Chapter IV of the APPI which includes the articles stipulating the data protection safeguards and rights applying to the processing of personal data under that Act. Consequently, while "anonymously processed personal information" is not subject to the "standard" data protection rules (those specified in Section 1 of Chapter IV and in Article 42 of the APPI), they do fall within the scope of application of the APPI, notably Articles 36 to 39.
(36)
Article 76 of the APPI excludes certain types of data processing from the application of Chapter IV of the Act, which contains the central data protection provisions (basic principles, obligations of business operators, individual rights, supervision by the PPC). Processing covered by the sectoral exclusion in Article 76 is also exempted from the enforcement powers of the PPC, pursuant to Article 43(2) of the APPI (24).
(38)
In order to ensure an adequate level of protection of personal data transferred from the European Union to business operators in Japan, only processing of personal information falling within the scope of Chapter IV of the APPI – i.e. by a PIHBO to the extent the processing situation does not correspond to one of the sectoral exclusions – should be covered by this Decision. Its scope should therefore be aligned to that of the APPI. According to the information received from the PPC, where a PIHBO covered by this Decision subsequently modifies the utilisation purpose (to the extent this is permissible) and would then be covered by one of the sectoral exclusions in Article 76 of the APPI, this would be considered as an international transfer (given that, in such cases, the processing of the personal information would no longer be covered by Chapter IV of the APPI and thus fall outside its scope of application). The same would apply in case a PIHBO provides personal information to an entity covered by Article 76 of the APPI for use for one of the processing purposes indicated in that provision. As regards personal data transferred from the European Union, this would therefore constitute an onward transfer subject to the relevant safeguards (notably those specified in Article 24 of the APPI and Supplementary Rule (4)). Where the PIHBO relies on the data subject's consent (25), it would have to provide him/her with all the necessary information, including that the personal information would no longer be protected by the APPI.
(76)
A first protection is enshrined in Article 24 of the APPI which generally prohibits the transfer of personal data to a third party outside the territory of Japan without the prior consent of the individual concerned. Supplementary Rule (4) ensures that in the case of data transfers from the European Union such consent will be particularly well informed as it requires that the individual concerned shall be "provided information on the circumstances surrounding the transfer necessary for the principal to make a decision on his/her consent". On that basis, the data subject shall be informed of the fact that the data will be transferred abroad (outside the scope of application of the APPI) and of the specific country of destination. This will allow him/her to assess the risk for privacy involved with the transfer. Also, as can be inferred from Article 23 of the APPI (see recital 47), the information provided to the principal should cover the compulsory items under its paragraph 2, namely the categories of personal data provided to a third party and the method of disclosure.
(99)
Although not all provisions of Chapter IV, Section 1 of the APPI are listed in Article 42(1) – which also determines the scope of application of Article 42(2) – this can be explained by the fact that certain of those provisions do not concern obligations of the PIHBO (59) and that all essential protections are already afforded by other provisions that are included in that list. For instance, although Article 15 (requiring the PIHBO to set the utilisation purpose and process the relevant personal information exclusively within its scope) is not mentioned, failure to observe this requirement can give ground to a recommendation based on a violation of Article 16(1) (prohibiting the PIHBO to process personal information beyond what is necessary to achieve the utilisation purpose, unless it obtains the data subject's consent) (60). Another provision not listed in Article 42(1) is Article 19 of the APPI on data accuracy and retention. Non-compliance with that provision can be enforced either as a violation of Article 16(1) or based on a violation of Article 29(2), if the individual concerned asks for the correction or deletion of erroneous or excessive data and the PIHBO refuses to satisfy the request. As regards the rights of the data subject according to Articles 28(1), 29(1) and 30(1), oversight by the PPC is ensured by granting it enforcement powers with respect to the corresponding obligations of the PIHBO laid down in those Articles.
(130) Upon collection by the Japanese public authorities, personal information falls within the scope of application of the APPIHAO. That Act regulates the handling (processing) of "retained personal information", and insofar imposes a number of limitations and safeguards (see recital 118) (102). Moreover, the fact that an Administrative Organ may retain personal information "only when the retention is necessary for performing the affairs under its jurisdiction provided by laws and regulations" (Article 3(1) of the APPIHAO) also imposes restrictions – at least indirectly – on the initial collection.
(136)
In addition, with respect to the correct application of the APPIHAO, the competent minister or agency head (e.g. the Commissioner General of the NPA) has enforcement authority, subject to the supervision by the Ministry of Internal Affairs and Communications (MIC). According to Article 49 APPIHAO, the MIC "may collect reports on the status of enforcement of this Act" from the heads of Administrative Organs (Minister). That oversight function is supported by input from MIC's 51 "comprehensive information centres" (one in each Prefecture throughout Japan) that each year handle thousands of inquiries from individuals (114) (which, in turn, may reveal possible violations of the law). Where it considers this necessary for ensuring compliance with the Act, MIC may request the submission of explanations and materials, and issue opinions, concerning the handling of personal information by the concerned Administrative Organ (Articles 50, 51 APPIHAO).
(180)
In application of Article 45(3) of Regulation (EU) 2016/679 (150), and in the light of the fact that the level of protection afforded by the Japanese legal order may be liable to change, the Commission, following the adoption of this Decision, should periodically check whether the findings relating to the adequacy of the level of protection ensured by Japan are still factually and legally justified.
(181)
To this end, this Decision should be subject to a first review within two years after its entry into force. Following that first review, and depending on its outcome, the Commission will decide in close consultation with the Committee established under Article 93(1) of the GDPR whether the two-year-cycle should be maintained. In any case, the subsequent reviews should take place at least every four years (151). The review should cover all aspects of the functioning of this Decision, and in particular the application of the Supplementary Rules (with special attention paid to protections afforded in case of onward transfers), the application of the rules on consent, including in case of withdrawal, the effectiveness of the exercise of individual rights, as well as the limitations and safeguards with respect to government access, including the redress mechanism as set out in Annex II to this Decision. It should also cover the effectiveness of oversight and enforcement, as regards the rules applicable to both PIHBOs and in the area of criminal law enforcement and national security.
(185)
If, after the specified time period, the competent Japanese authorities fail to demonstrate satisfactorily that this Decision continues to be based on an adequate level of protection, the Commission should, in application of Article 45(5) of Regulation (EU) 2016/679, initiate the procedure leading to the partial or complete suspension or repeal of this Decision. Alternatively, the Commission should initiate the procedure to amend this Decision, in particular by subjecting data transfers to additional conditions or by limiting the scope of the adequacy finding only to data transfers for which the continuity of protection within the meaning of Article 44 of the GDPR is ensured.