(8)
Based on that Article, the Japanese Supreme Court has clarified the rights of individuals as regards the protection of personal information. In a decision of 1969, it recognised the right to privacy and data protection as a constitutional right (8). Notably, the Court held that "every individual has the liberty of protecting his/her own personal information from being disclosed to a third party or made public without good reason." Moreover, in a decision of 6 March 2008 ("Juki-Net") (9), the Supreme Court held that "citizens’ liberty in private life shall be protected against the exercise of public authority, and it can be construed that, as one of an individual's liberties in private life, every individual has the liberty of protecting his/her own personal information from being disclosed to a third party or being made public without good reason" (10).
(11)
The APPI has been reformed in recent years. The amended APPI was promulgated on 9 September 2015 and came into force on 30 May 2017. The amendment introduced a number of new safeguards, and also strengthened existing safeguards, thus bringing the Japanese data protection system closer to the European one. This includes, for instance, a set of enforceable individual rights or the establishment of an independent supervisory authority (PPC) entrusted with the oversight and enforcement of the APPI.
(11)
The APPI has been reformed in recent years. The amended APPI was promulgated on 9 September 2015 and came into force on 30 May 2017. The amendment introduced a number of new safeguards, and also strengthened existing safeguards, thus bringing the Japanese data protection system closer to the European one. This includes, for instance, a set of enforceable individual rights or the establishment of an independent supervisory authority (PPC) entrusted with the oversight and enforcement of the APPI.
(14)
Recently, by a Cabinet Decision adopted on 12 June 2018, the Japanese government amended the "Basic Policy". With a view to facilitating international data transfers, that Cabinet Decision delegates to the PPC, as the authority competent for administering and implementing the APPI, "the power to take the necessary action to bridge differences of the systems and operations between Japan and the concerned foreign country based on Article 6 of the Act in view of ensuring appropriate handling of personal information received from such country". The Cabinet Decision stipulates that this includes the power to establish enhanced protections through the adoption by the PPC of stricter rules supplementing and going beyond those laid down in the APPI and the Cabinet Order. Pursuant to that Decision, these stricter rules shall be binding and enforceable on Japanese business operators.
(70)
Under the accountability principle, entities processing data are required to put in place appropriate technical and organisational measures to effectively comply with their data protection obligations and be able to demonstrate such compliance, in particular to the competent supervisory authority.
(95)
In order to ensure that an adequate level of data protection is guaranteed also in practice, an independent supervisory authority tasked with powers to monitor and enforce compliance with the data protection rules should be in place. This authority should act with complete independence and impartiality in performing its duties and exercising its powers.
(96)
In Japan, the authority in charge of monitoring and enforcing the APPI is the PPC. It is composed of a Chairperson and eight Commissioners appointed by the Prime Minister with the consent of both Houses of the Diet. The term of office for the Chairperson and each of the Commissioners is five years, with the possibility for reappointment (Article 64 of the APPI). Commissioners may only be dismissed for good cause in a limited set of exceptional circumstances (57) and must not be actively engaged in political activities. Moreover, under the APPI, full-time Commissioners must abstain from any other remunerated activities, or business activities. All Commissioners are also subject to internal rules preventing them from participation in deliberations in case of a possible conflict of interests. The PPC is assisted by a Secretariat, led by a Secretary-General, that has been established for the purpose of carrying out the tasks assigned to the PPC (Article 70 of the APPI). Both the Commissioners and all officials in the Secretariat are bound by strict rules of secrecy (Articles 72, 82 of the APPI).
(112)
Finally, an individual may also file an action for State compensation against the PPC under Article 1(1) of the State Redress Act in case (s)he has suffered damages due to the fact that an order issued by the PPC to a business operator was unlawful or the PPC has not exercised its authority.
(114)
As an exercise of public authority, government access in Japan must be carried out in full respect of the law (legality principle). In this regard, the Constitution of Japan contains provisions limiting and framing the collection of personal data by public authorities. As already mentioned with respect to processing by business operators, basing itself on Article 13 of the Constitution which among others protects the right to liberty, the Supreme Court of Japan has recognised the right to privacy and data protection (72). One important aspect of that right is the freedom not to have one's personal information disclosed to a third party without permission (73). This implies a right to the effective protection of personal data against abuse and (in particular) illegal access. Additional protection is ensured by Article 35 of the Constitution on the right of all persons to be secure in their homes, papers and effects, which requires from public authorities to obtain a court warrant issued for "adequate cause" (74) in all cases of "searches and seizures". In its judgment of 15 March 2017 (GPS case), the Supreme Court has clarified that this warrant requirement applies whenever the government invades ("enters into") the private sphere in a way that suppresses the individual's will and thus by means of a "compulsory investigation". A judge may only issue such warrant based on a concrete suspicion of crimes, i.e. when provided with documentary evidence based on which the person concerned by the investigation can be considered as having committed a criminal offence (75). Consequently, Japanese authorities have no legal authority to collect personal information by compulsory means in situations where no violation of the law has yet occurred (76), for example in order to prevent a crime or other security threat (as is the case for investigations on grounds of national security).
(127)
Specifically with respect to Article 197(2) of the CCP, the National Police Agency ("NPA") – as the federal authority in charge, among others, of all matters concerning the criminal police – has issued instructions to the Prefectural Police (93) on the "proper use of written inquiries in investigative matters". According to this Notification, requests must be made using a pre-established form ("Form No. 49" or so-called "enquiry sheet") (94), concern records "regarding a specific investigation" and the requested information must be "necessary for [that] investigation". In each case, the chief investigator shall "fully examine the necessity, content, etc. of [the] individual enquiry" and must receive internal approval from a high-ranking official.
(129)
Aside from these limitations for the exercise of public authority, business operators themselves are expected to check ("confirm") the necessity and "rationality" of the provision to a third party (99). This includes the question whether they are prevented by law from cooperating. Such conflicting legal obligations may in particular follow from confidentiality obligations such as Article 134 of the Penal Code (concerning the relationship between a doctor, lawyer, priest, etc. and his/her client). Also, "any person engaged in the telecommunication business shall, while in office, maintain the secrets of others that have come to be known with respect to communications being handled by the telecommunication carrier" (Article 4(2) of the Telecommunication Business Act). This obligation is backed-up by the sanction stipulated in Article 179 of the Telecommunication Business Act, according to which any person that has violated the secrecy of communications being handled by a telecommunications carrier shall be guilty of a criminal offence and punished by imprisonment with labour of up to two years, or to a fine of not more than one million yen (100). While this requirement is not absolute and in particular allows for measures infringing the secrecy of communications that constitute "justifiable acts" within the meaning of Article 35 of the Penal Code (101), this exception does not cover the response to non-compulsory requests by public authorities for the disclosure of electronic information pursuant to Article 197(2) of the CCP.
(136)
In addition, with respect to the correct application of the APPIHAO, the competent minister or agency head (e.g. the Commissioner General of the NPA) has enforcement authority, subject to the supervision by the Ministry of Internal Affairs and Communications (MIC). According to Article 49 APPIHAO, the MIC "may collect reports on the status of enforcement of this Act" from the heads of Administrative Organs (Minister). That oversight function is supported by input from MIC's 51 "comprehensive information centres" (one in each Prefecture throughout Japan) that each year handle thousands of inquiries from individuals (114) (which, in turn, may reveal possible violations of the law). Where it considers this necessary for ensuring compliance with the Act, MIC may request the submission of explanations and materials, and issue opinions, concerning the handling of personal information by the concerned Administrative Organ (Articles 50, 51 APPIHAO).
(139)
In addition, Article 79 of the Police Law guarantees individuals who have concerns with respect to the "execution of duties" by police personnel the right to lodge a complaint with the (competent) independent Prefectural Public Safety Commission. The Commission will "faithfully" handle such complaints in accordance with laws and local ordinances and shall notify the complainant in writing of the results. Based on its authority to supervise and "direct" the Prefectural Police with respect to "personnel's misconduct" (Articles 38(3), 43-2(1) of the Police Law), it may request the Prefectural Police to investigate the facts, take appropriate measures based on the outcome of this investigation and report on the results. If it considers that the investigation carried out by the Police has not been adequate, the Commission may also provide instructions on the handling of the complaint.
(142)
Under the mechanism, an individual who suspects that his/her data transferred from the European Union has been collected or used by public authorities in Japan (including those responsible for criminal law enforcement) in violation of the applicable rules can submit a complaint to the PPC (individually or though his/her data protection authority within the meaning of Article 51 of the GDPR). The PPC will be under an obligation to handle the complaint and in a first step inform the competent public authorities, including the relevant oversight bodies, thereof. Those authorities are required to cooperate with the PPC, "including by providing the necessary information and relevant material, so that the PPC can evaluate whether the collection or the subsequent use of personal information has taken place in compliance with the applicable rules" (117). This obligation, derived from Article 80 of the APPI (requiring Japanese public authorities to co-operate with PPC), applies in general and hence extends to the review of any investigatory measures taken by such authorities, which moreover have committed to such cooperation through written assurances from the competent ministries and agency heads, as reflected in Annex II.
(144)
Once the evaluation is concluded, the PPC shall notify the individual within a reasonable period of time of the outcome of the evaluation, including any corrective action taken where applicable. At the same time, the PPC shall also inform the individual about the possibility of seeking a confirmation of the outcome from the competent public authority and the identity of the authority to which such a request for confirmation should be made. The possibility to receive such a confirmation, including the reasons underpinning the decision of the competent authority, may be of assistance to the individual in taking any further steps, including when seeking judicial redress. Detailed information on the outcome of the evaluation can be restricted as long as there are reasonable grounds to consider that communicating such information is likely to pose a risk to the ongoing investigation.
(147)
Finally, under Article 1(1) of the State Redress Act a court may grant compensation where a public officer who exercises the public authority of the State has, in the course of his/her duties, unlawfully and with fault (intentionally or negligently) inflicted damage on the individual concerned. According to Article 4 of the State Redress Act, the State's liability for damages is based on the provisions of the Civil Code. In this respect, Article 710 of the Civil Code stipulates that liability also covers damages other than those to property, and hence moral damage (for instance in the form of "mental distress"). This includes cases where the privacy of an individual has been invaded by unlawful surveillance and/or the collection of his/her personal information (e.g. the illegal execution of a warrant) (121).
(153)
According to the information received, the MOD collects (electronic) information on the basis of the MOD Establishment Act. Pursuant to its Article 3, the mission of the MOD is to manage and operate the military forces and "to conduct such affairs as related thereto in order to secure national peace and independence, and the safety of the nation." Article 4(4) provides that the MOD shall have jurisdiction over the "defence and guard", over the actions to be taken by the Self-Defence Forces as well as over the deployment of the military forces, including the collection of information necessary to conduct those affairs. It only has authority to collect (electronic) information from business operators through voluntary cooperation.
(155)
Finally, the PSIA may carry out investigations under the Subversive Activities Prevention Act ("SAPA") and the Act on the Control of Organisations Which Have Committed Acts of Indiscriminate Mass Murder ("ACO") where such investigations are necessary to prepare the adoption of control measures against certain organisations (126). Under both Acts, upon request by the Director-General of the PSIA the Public Security Examination Commission may issue certain "dispositions" (surveillance/prohibitions in the case of the ACO (127), dissolution/prohibitions in the case of the SAPA (128) and in this context the PSIA may carry out investigations (129). According to the information received, these investigations are always conducted on a voluntary basis, meaning that the PSIA may not force an owner of personal information to provide such information (130). Each time, controls and investigations shall be conducted only to the minimum extent necessary to achieve the control purpose and shall not under any circumstances be carried out to "unreasonably" restrict the rights and freedoms guaranteed under the Constitution of Japan (Article 3(1) of SAPA/ACO). Moreover, according to Article 3(2) of the SAPA/ACO, the PSIA must under no circumstances abuse such controls, or the investigations carried out to prepare such controls. If a Public Security Intelligence Officer has abused his/her authority under the respective Act by forcing a person to do anything which the person is not required to, or by interfering with the exercise of a person's rights, (s)he may be subject to criminal sanctions pursuant to Article 45 SAPA or Article 42 ACO. Finally, both Acts explicitly prescribe that their provisions, including the powers granted therein, shall "not under any circumstances be subject to an expanded interpretation" (Article 2 of SAPA/ACO).
(156) In all cases of government access on national security grounds described in this section, the limitations stipulated by the Japanese Supreme Court for voluntary investigations apply, which means that the collection of (electronic) information must conform with the principles of necessity and proportionality ("appropriate method") (131). As explicitly confirmed by the Japanese authorities, "the collection and processing of information takes place only to the extent necessary to the performance of specific duties of the competent public authority as well as on the basis of specific threats". Therefore, "this excludes mass and indiscriminate collection or access to personal information for national security reasons" (132).
(161)
As regards MOD, oversight is exercised by the Inspector General's Office of Legal Compliance (IGO) (134) that has been established based on Article 29 of the MOD Establishment Act as an office within the MOD under the supervision of the Minister of Defence (to which it reports) but independent from MOD's operational departments. The IGO has the task of ensuring compliance with laws and regulations as well as the proper execution of duties by MOD officials. Among its powers is the authority to carry out so-called "Defence Inspections", both at regular intervals ("Regular Defence Inspections") and in individual cases ("Special Defence Inspections"), which in the past have also covered the proper handling of personal information (135). In the context of such inspections, the IGO may enter sites (offices) and request the submission of documents or information, including explanations by the Deputy Vice-Minister of the MOD. The inspection is concluded through a report to the Minister of Defence setting out the findings and measures for improvement (the implementation of which can again be checked through further inspections). The report in turn forms the basis for instructions from the Minister of Defence to implement the measures necessary to address the situation; the Deputy Vice-Minister is charged with carrying out such measures and has to report on the follow-up.
(164)
These oversight mechanisms, which are further strengthened through the possibility for individuals to trigger the intervention of the PPC as an independent supervisory authority (see below section 168), provide adequate guarantees against the risk of abuse by Japanese authorities of their powers in the area of national security, and against any unlawful collection of electronic information.
(166)
Moreover, unlike for criminal investigations, individuals (including foreign nationals living abroad) have in principle a right to disclosure (139), correction (including deletion) and suspension of use/provision under the APPIHAO. This being said, the head of the Administrative Organ may refuse disclosure with respect to information "for which there are reasonable grounds […] to find that disclosure is likely to cause harm to national security" (Article 14(iv) APPIHAO) and may even do so without revealing the existence of such information (Article 17 APPIHAO). Likewise, while an individual may request suspension of use or deletion pursuant to Article 36(1)(i) APPIHAO in case the Administrative Organ has obtained the information unlawfully or retains/uses it beyond what is necessary to achieve the specified purpose, the authority may reject the request if it finds that the suspension of use "is likely to hinder the proper execution of the affairs pertaining to the Purpose of Use of the Retained Personal Information due to the nature of the said affairs" (Article 38 APPIHAO). Still, where it is possible to easily separate and exclude portions that are subject to an exception, Administrative Organs are required to grant at least partial disclosure (see e.g. Article 15(1) APPIHAO) (140).