(10)
The two latter acts (amended in 2016) contain provisions applicable to the protection of personal information by public sector entities. Data processing falling within the scope of application of those acts is not the object of the adequacy finding contained in this Decision, which is limited to the protection of personal information by "Personal Information Handling Business Operators" (PIHBOs) within the meaning of the APPI.
(14)
Recently, by a Cabinet Decision adopted on 12 June 2018, the Japanese government amended the "Basic Policy". With a view to facilitating international data transfers, that Cabinet Decision delegates to the PPC, as the authority competent for administering and implementing the APPI, "the power to take the necessary action to bridge differences of the systems and operations between Japan and the concerned foreign country based on Article 6 of the Act in view of ensuring appropriate handling of personal information received from such country". The Cabinet Decision stipulates that this includes the power to establish enhanced protections through the adoption by the PPC of stricter rules supplementing and going beyond those laid down in the APPI and the Cabinet Order. Pursuant to that Decision, these stricter rules shall be binding and enforceable on Japanese business operators.
(15)
On the basis of Article 6 of the APPI and that Cabinet Decision, the PPC on 15 June 2018 adopted "Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU based on an Adequacy Decision" (the "Supplementary Rules") with a view to enhance the protection of personal information transferred from the European Union to Japan based on the present adequacy decision. Those Supplementary Rules are legally binding on Japanese business operators and enforceable, both by the PPC and by courts, in the same way as the provisions of the APPI that the Rules supplement with stricter and/or more detailed rules (12). As Japanese business operators receiving and/or further processing personal data from the European Union will be under a legal obligation to comply with the Supplementary Rules, they will need to ensure (e.g. by technical ("tagging") or organisational means (storing in a dedicated database)) that they can identify such personal data throughout their "life cycle" (13). In the following sections, the content of each Supplementary Rule is analysed as part of the assessment of the articles of the APPI it complements.
(16)
Unlike before the 2015 amendment when this fell into the competence of various Japanese Ministries in specific sectors, the APPI empowers the PPC to adopt "Guidelines" "to ensure the proper and effective implementation of action to be taken by a business operator" under the data protection rules. Through its Guidelines, PPC provides an authoritative interpretation of those rules, in particular the APPI. According to the information received from the PPC, those Guidelines form an integral part of the legal framework, to be read together with the text of the APPI, the Cabinet Order, the PPC Rules and a set of Q&A (14) prepared by PPC. They are therefore "binding on business operators". Where the Guidelines state that a business operator "must" or "should not" act in a specified way, the PPC will consider that non-compliance with the relevant provisions amounts to a violation of the law (15).
(17)
The scope of application of the APPI is determined by the defined concepts of Personal Information, Personal Data and Personal Information Handling Business Operator. At the same time, the APPI provides for some important exemptions from its scope, most importantly for Anonymously Processed Personal Data and for specific types of processing by certain operators. While the APPI does not use the term "processing", it relies on the equivalent concept of "handling" which, according to the information received from the PPC, covers "any act on personal data" including the acquisition, input, accumulation, organisation, storage, editing/processing, renewal, erasure, output, utilization, or provision of personal information.
(18)
First of all, as regards its material scope, the APPI distinguishes personal information from personal data, with only certain of the provisions of the Act being applicable to the former category. According to Article 2(1) of the APPI, the concept of "personal information" includes any information relating to a living individual which enables the identification of that individual. The definition distinguishes two categories of personal information: (i) individual identification codes; and (ii) other personal information whereby a specific individual can be identified. The latter category also includes information which by itself does not enable identification but, when "readily collated" with other information, allows the identification of a specific individual. According to the PPC Guidelines (16), whether information can be considered as "readily collated" shall be judged on a case by case basis, taking into consideration the actual situation ("condition") of the business operator. This will be assumed if such collation is (or can be) performed by an average ("normal") business operator using the means available to that operator. For instance, information is not "readily collated" with other information if a business operator needs to make unusual efforts or commit illegal acts to obtain the information to be collated from one or more other business operators.
(25)
The second category has been further specified in Article 5 of the Cabinet Order. Read in conjunction with Article 2(7) of the APPI, it exempts from the scope of the notion of retained personal data, and thus from the individual rights under the APPI, those personal data that are "set to be deleted" within a period of six months. The PPC has explained that this exemption aims at incentivising business operators to retain and process data for the shortest period possible. However, this would mean that EU data subjects would not be able to benefit from important rights for no other reason than the duration of the retention of their data by the concerned business operator.
(27)
Requirements applicable to anonymously processed personal information, as defined in Article 2(9) of the APPI, are stipulated in Section 2 of Chapter 4 of the Act ("Duties of an Anonymously Processed Information Handling Business Operator"). Conversely, such information is not governed by the provisions of Section 1 of Chapter IV of the APPI which includes the articles stipulating the data protection safeguards and rights applying to the processing of personal data under that Act. Consequently, while "anonymously processed personal information" is not subject to the "standard" data protection rules (those specified in Section 1 of Chapter IV and in Article 42 of the APPI), they do fall within the scope of application of the APPI, notably Articles 36 to 39.
(29)
It results from those provisions, as also confirmed by the PPC, that the process of rendering personal information "anonymous" does not need to be technically irreversible. Pursuant to Article 36(2) of the APPI, business operators handling "anonymously processed personal information" are merely required to prevent re-identification by taking measures to ensure the security of "the descriptions etc. and individual identification codes deleted from personal information used to produce the anonymously processed information, and information relating to a processing method carried out".
(31)
To address that situation, the Supplementary Rules provide for additional requirements applicable only to personal data transferred from the European Union under this Decision. According to Rule (5) of the Supplementary Rules, such personal information shall only be considered "anonymously processed personal information" within the meaning of the APPI "if the personal information handling business operator takes measures that make the de-identification of the individual irreversible for anyone, including by deleting processing method etc. related information". The latter has been specified in the Supplementary Rules as information relating to descriptions and individual identification codes which were deleted from personal information used to produce "anonymously processed personal information", as well as information relating to a processing method applied while deleting these descriptions and individual identification codes. In other terms, the Supplementary Rules require the business operator producing "anonymously processed personal information" to destroy the "key" permitting re-identification of the data. This means that personal data originating from the European Union will fall under the APPI provisions regarding "anonymously processed personal information" only in cases where they would likewise be considered anonymous information under Regulation (EU) 2016/679 (22).
(32)
Concerning its personal scope, the APPI applies only to PIHBOs. A PIHBO is defined in Article 2(5) of the APPI as "a person providing a personal information database etc. for use in business", with the exclusion of the government and administrative agencies at both central and local level.
(33)
According to the PPC Guidelines, "business" means any "conduct aimed at exercising, for a certain goal, regardless of whether or not for profit, repeatedly and continuously, a socially recognised enterprise". Organisations without legal personality (such as de facto associations) or individuals are considered as a PIHBO if they provide (use) a personal information database etc. for their business (23). Therefore, the notion of "business" under the APPI is very broad in that it includes not only for-profit but also not-for-profit activities by all kinds of organisations and individuals. Moreover, "use in business" also covers personal information that is not used in the operator's (external) commercial relationships, but internally, for instance the processing of employee data.
(36)
Article 76 of the APPI excludes certain types of data processing from the application of Chapter IV of the Act, which contains the central data protection provisions (basic principles, obligations of business operators, individual rights, supervision by the PPC). Processing covered by the sectoral exclusion in Article 76 is also exempted from the enforcement powers of the PPC, pursuant to Article 43(2) of the APPI (24).
(37)
The relevant categories for the sectoral exclusion in Article 76 of the APPI are defined by using a double criterion based on the type of PIHBO processing the personal information and the purpose of processing. More specifically, the exclusion applies to: (i) broadcasting institutions, newspaper publishers, communication agencies or other press organisations (including any individuals carrying out press activities as their business) to the extent they process personal information for press purposes; (ii) persons engaged in professional writing, to the extent this involves personal information; (iii) universities and any other organisations or groups aimed at academic studies, or any person belonging to such an organisation, to the extent they process personal information for the purpose of academic studies; (iv) religious bodies to the extent they process personal information for purposes of religious activity (including all related activities); and (v) political bodies to the extent they process personal information for the purposes of their political activity (including all related activities). Processing of personal information for one of the purposes listed in Article 76 by other types of PIHBOs as well as processing of personal information by one of the listed PIHBOs for other purposes, for instance in the employment context, remain covered by the provisions of Chapter IV.
(38)
In order to ensure an adequate level of protection of personal data transferred from the European Union to business operators in Japan, only processing of personal information falling within the scope of Chapter IV of the APPI – i.e. by a PIHBO to the extent the processing situation does not correspond to one of the sectoral exclusions – should be covered by this Decision. Its scope should therefore be aligned to that of the APPI. According to the information received from the PPC, where a PIHBO covered by this Decision subsequently modifies the utilisation purpose (to the extent this is permissible) and would then be covered by one of the sectoral exclusions in Article 76 of the APPI, this would be considered as an international transfer (given that, in such cases, the processing of the personal information would no longer be covered by Chapter IV of the APPI and thus fall outside its scope of application). The same would apply in case a PIHBO provides personal information to an entity covered by Article 76 of the APPI for use for one of the processing purposes indicated in that provision. As regards personal data transferred from the European Union, this would therefore constitute an onward transfer subject to the relevant safeguards (notably those specified in Article 24 of the APPI and Supplementary Rule (4)). Where the PIHBO relies on the data subject's consent (25), it would have to provide him/her with all the necessary information, including that the personal information would no longer be protected by the APPI.
(40)
The APPI relies on the principle that a business operator has to specify the utilisation purpose "as explicitly as possible" (Article 15(1)) and is then bound by such purpose when processing the data.
(43)
When it comes to personal information acquired from another business operator, the PIHBO is, in principle, free to set a new utilisation purpose (28). In order to ensure that, in case of a transfer from the European Union, such a recipient is bound by the purpose for which the data was transferred, Supplementary Rule (3) requires that, in cases "where a [PIHBO] receives personal data from the EU based on an adequacy decision" or such an operator "receives from another [PIHBO] personal data previously transferred from the EU based on an adequacy decision" (onward sharing), the recipient has to "specify the purpose of utilising the said personal data within the scope of the utilisation purpose for which the data was originally or subsequently received". In other words, the rule ensures that in a transfer context the purpose specified pursuant to Regulation (EU) 2016/679 continues to determine the processing, and that a change of that purpose at any stage of the processing chain in Japan would require the consent of the EU data subject. While obtaining this consent requires the PIHBO to contact the data subject, where this is not possible the consequence is simply that the original purpose has to be maintained.
(47)
Finally, when it comes to the further provision of personal information to a third party (31), Article 23(1) of the APPI limits such disclosure to specific cases, with the prior consent by the data subject as the general rule (32). Article 23(2), (3) and (4) of the APPI provide for exceptions to the requirement to obtain consent. However, these exceptions do only apply to non-sensitive data and require that the business operator in advance informs the individuals concerned of the intention to disclose their personal information to a third party and the possibility to object to any further disclosure (33).
(57)
Personal data should be processed in a manner that ensures their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. To that end, business operators should take appropriate technical or organisational measures to protect personal data from possible threats. These measures should be assessed taking into consideration the state of the art and related costs.
(64)
Both the requirements of Article 18 and the obligation to inform about the utilisation purpose under Article 27 of the APPI are subject to the same set of exceptions, mostly based on public interest considerations and the protection of rights and interests of the data subject, third parties and the controller (37). According to the interpretation developed in the PPC Guidelines, those exceptions apply in very specific situations, such as where information on the utilisation purpose would risk undermining legitimate measures taken by the business operator to protect certain interests (e.g. fight against fraud, industrial espionage, sabotage).
(68)
While the concept of "sensitive" data is inherently a social construct in that it is grounded in cultural and legal traditions, moral considerations, policy choices etc. of a given society, given the importance of ensuring adequate safeguards to sensitive data when transferred to business operators in Japan the Commission has obtained that the special protections afforded to "special care-required personal information" under Japanese law are extended to all categories recognised as "sensitive data" in Regulation (EU) 2016/679. To this end, Supplementary Rule (1) provides that data transferred from the European Union concerning an individual's sex life, sexual orientation or trade-union membership shall be processed by PIHBOs "in the same manner as special care-required personal information within the meaning of Article 2, paragraph 3 of the [APPI]".
(73)
Finally, the APPI creates a framework for the participation of sectoral industry organisations in ensuring a high level of compliance (see Chapter IV, Section 4). The role of such accredited personal information protection organisations (40) is to promote the protection of personal information by supporting businesses through their expertise, but also to contribute to the implementation of safeguards, notably by handling individual complaints and helping to solve related conflicts. To that end, they may request participating PIHBOs, if appropriate, to adopt necessary measures (41). Moreover, in case of data breaches or other security incidents PHIBOs shall in principle inform the PPC as well as the data subject (or the public) and take necessary action, including measures to minimise any damage and to prevent any recurrence of similar incidents (42). While those are voluntary schemes, on 10 August 2017 the PPC had listed 44 organisations, with the largest one, Japan Information Processing and Development Center (JIPDEC), alone counting 15 436 participating business operators (43). Accredited schemes include sector associations such as for instance the Japan Securities Dealers Association, the Japan Association of Car Driving Schools or the Association of Marriage Brokers (44).
(74)
Accredited personal information protection organisations submit annual reports on their operations. According to the "Overview of the Implementation Status [of] the APPI in FY 2015" published by the PPC, accredited personal information protection organisations received a total of 442 complaints, required 123 explanations from business operators under their jurisdiction, requested documents from these operators in 41 cases, gave 181 instructions and made two recommendations (45).
(75)
The level of protection afforded to personal data transferred from the European Union to business operators in Japan must not be undermined by the further transfer of such data to recipients in a third country outside Japan. Such "onward transfers", which from the perspective of the Japanese business operator constitute international transfers from Japan, should be permitted only where the further recipient outside Japan is itself subject to rules ensuring a similar level of protection as guaranteed within the Japanese legal order.
(84)
These rights are subject to three types of restrictions, relating to the individual's own or third parties’ rights and interests (51), serious interference with the PIHBO's business operations (52) as well as cases in which disclosure would violate other laws or regulations (53). The situations in which these restrictions would apply are similar to some of the exceptions applicable under Article 23(1) of Regulation (EU) 2016/679, which allows for restrictions of the rights of individuals for reasons related to the "protection of the data subject or the rights and freedoms of others" or "other important objectives of general public interest". Although the category of cases in which disclosure would violate "other laws or regulations" may appear broad, laws and regulations providing for limitations in this regard must respect the constitutional right to privacy and may impose restrictions only to the extent that the exercise of this right would "interfere with the public welfare" (54). This requires a balancing of the interests at stake.
(93)
Differently from EU law, the APPI and relevant sub-statutory rules do not contain general provisions addressing the issue of decisions affecting the data subject and based solely on the automated processing of personal data. However, the issue is addressed in certain sectoral rules applicable in Japan that are particularly relevant for this type of processing. This includes sectors in which companies most likely resort to the automated processing of personal data to take decisions affecting individuals (e.g. the financial sector). For example, the "Comprehensive Guidelines for Supervision over Major Banks", as revised in June 2017, require that the concerned individual be provided with specific explanations on the reasons for the rejection of a request to conclude a loan agreement. Those rules thus offer protections in the likely rather limited number of cases where automated decisions would be taken by the "importing" Japanese business operator itself (rather than the "exporting" EU data controller).
(94)
In any event, as regards personal data that has been collected in the European Union, any decision based on automated processing will typically be taken by the data controller in the Union (which has a direct relationship with the concerned data subject) and is thus subject to Regulation (EU) 2016/679 (56). This includes transfer scenarios where the processing is carried out by a foreign (e.g. Japanese) business operator acting as an agent (processor) on behalf of the EU controller (or as a sub-processor acting on behalf of the EU processor having received the data from an EU controller that collected it) which on this basis then takes the decision. Therefore, the absence of specific rules on automated decision making in the APPI is unlikely to affect the level of protection of the personal data transferred under this Decision.
(96)
In Japan, the authority in charge of monitoring and enforcing the APPI is the PPC. It is composed of a Chairperson and eight Commissioners appointed by the Prime Minister with the consent of both Houses of the Diet. The term of office for the Chairperson and each of the Commissioners is five years, with the possibility for reappointment (Article 64 of the APPI). Commissioners may only be dismissed for good cause in a limited set of exceptional circumstances (57) and must not be actively engaged in political activities. Moreover, under the APPI, full-time Commissioners must abstain from any other remunerated activities, or business activities. All Commissioners are also subject to internal rules preventing them from participation in deliberations in case of a possible conflict of interests. The PPC is assisted by a Secretariat, led by a Secretary-General, that has been established for the purpose of carrying out the tasks assigned to the PPC (Article 70 of the APPI). Both the Commissioners and all officials in the Secretariat are bound by strict rules of secrecy (Articles 72, 82 of the APPI).
(104)
Before or instead of seeking administrative or judicial redress, an individual may decide to submit a complaint about the processing of his/her personal data to the controller itself. Based on Article 35 of the APPI, PIHBOs shall endeavour to deal with such complaints "appropriately and promptly" and establish internal complaint-handling systems to achieve this objective. In addition, under Article 61(ii) of the APPI the PPC is responsible for the "necessary mediation on a lodged complaint and cooperation offered to a business operator who deals with the complaint", which in both cases includes complaints submitted by foreigners. In this regard, the Japanese legislator has also entrusted the central government with the task of taking "necessary action" to enable and facilitate the resolution of complaints by PIHBOs (Article 9), while local governments shall endeavour to ensure mediation in such cases (Article 13). In that respect, individuals may lodge a complaint with one of the more than 1 700 consumer centres established by local governments based on the Consumer Safety Act (61), in addition to the possibility of lodging a complaint with the National Consumer Affairs Centre of Japan. Such complaints may also be brought with respect to a violation of the APPI. Under Article 19 of the Basic Consumer Act (62), local governments shall endeavour to engage in mediation with respect to complaints and provide the parties with necessary expertise. Those dispute resolution mechanisms appear quite effective, with a resolution rate of 91,2 % concerning more than 75 000 complaint cases in 2015.
(106)
Second, in the case where an alleged infringement does not concern individual rights under Articles 28, 29 and 30 but general data protection principles or obligations of the PIHBO, the concerned individual may bring a civil action against the business operator based on the torts provisions of the Japanese Civil Code, especially Article 709. While a lawsuit under Article 709 requires, aside from fault (intention or negligence), a demonstration of harm, according to Article 710 of the Civil Code such harm may be both material and immaterial. No limitation is imposed as to the amount of compensation.
(108)
Third, in addition to civil law (tort) remedies, a data subject may file a complaint with a public prosecutor or judicial police official with respect to APPI violations that can lead to criminal sanctions. Chapter VII of the APPI contains a number of penal provisions. The most important one (Article 84) relates to non-compliance by the PIHBO with PPC orders pursuant to Article 42(2) and (3). If a business operator fails to comply with an order issued by the PPC, the PPC Chair (as well as any other government official) (66) may forward the case to the public prosecutor or judicial police official and in that way trigger the opening of a criminal procedure. The penalty for the violation of a PPC order is imprisonment with labour for up to six months or a fine of up to 300 000 yen. Other provisions of the APPI providing for sanctions in case of APPI violations affecting the rights and interests of data subjects include Article 83 of the APPI (regarding the "providing or using by stealth" of a personal information database "for the purpose of seeking […] illegal profits") and Article 88(i) of the APPI (regarding the failure by a third party to correctly inform the PIHBO when the latter receives personal data in accordance with Article 26(1) of the APPI, in particular on the details of the third party's own, prior acquisition of such data). The applicable penalties for such violations of the APPI are, respectively, imprisonment with work for up to one year or a fine of up to 500 000 yen (in case of Article 83) or an administrative fine of up to 100 000 yen (in case of Article 88(i)). While the threat of a criminal sanction is already likely to have a strong deterrent effect on the business management that directs the PIHBO's processing operations as well as on the individuals handling the data, Article 87 of the APPI clarifies that when a representative, employee or other worker of a corporate body has committed a violation pursuant to Articles 83 to 85 of the APPI, "the actor shall be punished and a fine set forth in the respective Articles shall be imposed on the said corporate body". In this case, both the employee and the company can be imposed sanctions up to the full maximum amount.
(112)
Finally, an individual may also file an action for State compensation against the PPC under Article 1(1) of the State Redress Act in case (s)he has suffered damages due to the fact that an order issued by the PPC to a business operator was unlawful or the PPC has not exercised its authority.
(113)
The Commission has also assessed the limitations and safeguards, including the oversight and individual redress mechanisms available in Japanese law as regards the collection and subsequent use of personal data transferred to business operators in Japan by public authorities for public interest, in particular criminal law enforcement and national security purposes ("government access"). In this respect, the Japanese government has provided the Commission with official representations, assurances and commitments signed at the highest ministerial and agency level that are contained in Annex II to this Decision.
(114)
As an exercise of public authority, government access in Japan must be carried out in full respect of the law (legality principle). In this regard, the Constitution of Japan contains provisions limiting and framing the collection of personal data by public authorities. As already mentioned with respect to processing by business operators, basing itself on Article 13 of the Constitution which among others protects the right to liberty, the Supreme Court of Japan has recognised the right to privacy and data protection (72). One important aspect of that right is the freedom not to have one's personal information disclosed to a third party without permission (73). This implies a right to the effective protection of personal data against abuse and (in particular) illegal access. Additional protection is ensured by Article 35 of the Constitution on the right of all persons to be secure in their homes, papers and effects, which requires from public authorities to obtain a court warrant issued for "adequate cause" (74) in all cases of "searches and seizures". In its judgment of 15 March 2017 (GPS case), the Supreme Court has clarified that this warrant requirement applies whenever the government invades ("enters into") the private sphere in a way that suppresses the individual's will and thus by means of a "compulsory investigation". A judge may only issue such warrant based on a concrete suspicion of crimes, i.e. when provided with documentary evidence based on which the person concerned by the investigation can be considered as having committed a criminal offence (75). Consequently, Japanese authorities have no legal authority to collect personal information by compulsory means in situations where no violation of the law has yet occurred (76), for example in order to prevent a crime or other security threat (as is the case for investigations on grounds of national security).
(116)
Importantly, Article 21(2) of the Constitution guarantees the secrecy of all means of communication, with limitations only allowed by legislation on public interest grounds. Article 4 of the Telecommunications Business Act, according to which the secrecy of communications handled by a telecommunications carrier shall not be violated, implements this confidentiality requirement at the level of statutory law. This has been interpreted as prohibiting the disclosure of communications information, except with the consent of users or if based on one of the explicit exemptions from criminal liability under the Penal Code (77).
(126)
To the extent such a request is directed at a business operator and concerns personal information, the business operator has to comply with the requirements of the APPI. According to Article 23(1) of the APPI, business operators may disclose personal information to third parties without consent of the individual concerned only in certain cases, including where the disclosure is "based on laws and regulations" (89). In the area of criminal law enforcement, the legal basis for such requests is provided by Article 197(2) of the CCP according to which "private organisations may be asked to report on necessary matters relating to the investigation." Since such an "enquiry sheet" is permissible only as part of a criminal investigation, it always presupposes a concrete suspicion of an already committed crime (90). Moreover, since such investigations are generally carried out by the Prefectural Police, the limitations pursuant to Article 2(2) of the Police Law (91) apply. According to that provision, the activities of the police are "strictly limited" to the fulfilment of their responsibilities and duties (that is to say the prevention, suppression and investigation of crimes). Moreover, in performing its duties, the police shall act in an impartial, unprejudiced and fair manner and must never abuse its powers "in such a way as to interfere with the rights and liberties of an individual guaranteed in the Constitution of Japan" (which include, as indicated, the right to privacy and data protection) (92).
(129)
Aside from these limitations for the exercise of public authority, business operators themselves are expected to check ("confirm") the necessity and "rationality" of the provision to a third party (99). This includes the question whether they are prevented by law from cooperating. Such conflicting legal obligations may in particular follow from confidentiality obligations such as Article 134 of the Penal Code (concerning the relationship between a doctor, lawyer, priest, etc. and his/her client). Also, "any person engaged in the telecommunication business shall, while in office, maintain the secrets of others that have come to be known with respect to communications being handled by the telecommunication carrier" (Article 4(2) of the Telecommunication Business Act). This obligation is backed-up by the sanction stipulated in Article 179 of the Telecommunication Business Act, according to which any person that has violated the secrecy of communications being handled by a telecommunications carrier shall be guilty of a criminal offence and punished by imprisonment with labour of up to two years, or to a fine of not more than one million yen (100). While this requirement is not absolute and in particular allows for measures infringing the secrecy of communications that constitute "justifiable acts" within the meaning of Article 35 of the Penal Code (101), this exception does not cover the response to non-compulsory requests by public authorities for the disclosure of electronic information pursuant to Article 197(2) of the CCP.
(133)
While there is no ex-ante check by a judge in the case of requests for voluntary disclosure, business operators to whom such requests are addressed can object to them without risking any negative consequences (and will have to take into account the privacy impact of any disclosure). Moreover, according to Article 192(1) of the CCP, police officials shall always cooperate and coordinate their actions with the public prosecutor (and the Prefectural Public Safety Commission) (105). In turn, the public prosecutor may give the necessary general instructions setting forth standards for a fair investigation and/or issue specific orders with respect to an individual investigation (Article 193 of the CCP). Where such instructions and/or orders are not followed, the prosecution may file charges for disciplinary action (Article 194 of the CCP). Hence, the Prefectural Police operates under the supervision of the public prosecutor.
(141)
Second, given that redress will naturally have to be sought abroad in a foreign system and in a foreign language, in order to facilitate redress for EU individuals whose personal data is transferred to business operators in Japan and then accessed by public authorities, the Japanese government has made use of its powers to create a specific mechanism, administered and supervised by PPC, for handling and resolving complaints in this field. That mechanism builds on the cooperation obligation imposed on Japanese public authorities under the APPI and the special role of the PPC with respect to international data transfers from third countries under Article 6 of the APPI and the Basic Policy (as established by the Japanese government through Cabinet Order). The details of this mechanism are set out in the official representations, assurances and commitments received from the Japanese government and attached to this Decision as Annex II. The mechanism is not subject to any standing requirement and is open to any individual, independently of whether (s)he is suspected or accused of a criminal offence.
(151)
According to the Japanese authorities, there is no law in Japan permitting compulsory requests for information or "administrative wiretapping" outside criminal investigations. Hence, on national security grounds information may only be obtained from an information source that can be freely accessed by anyone or by voluntary disclosure. Business operators receiving a request for voluntary cooperation (in the form of disclosure of electronic information) are under no legal obligation to provide such information (124).
(152)
Also, according to the information received only four government entities are empowered to collect electronic information held by Japanese business operators on national security grounds, namely: (i) the Cabinet Intelligence & Research Office (CIRO); (ii) the Ministry of Defence ("MOD"); (iii) the police (both National Police Agency (NPA) (125) and Prefectural Police); and (iv) the Public Security Intelligence Agency ("PSIA"). However, the CIRO never collects information directly from business operators, including by means of interception of communications. Where it receives information from other government authorities in order to provide analysis to the Cabinet, these other authorities in turn have to comply with the law, including the limitations and safeguards analysed in this Decision. Its activities are thus not relevant in a transfer context.
(153)
According to the information received, the MOD collects (electronic) information on the basis of the MOD Establishment Act. Pursuant to its Article 3, the mission of the MOD is to manage and operate the military forces and "to conduct such affairs as related thereto in order to secure national peace and independence, and the safety of the nation." Article 4(4) provides that the MOD shall have jurisdiction over the "defence and guard", over the actions to be taken by the Self-Defence Forces as well as over the deployment of the military forces, including the collection of information necessary to conduct those affairs. It only has authority to collect (electronic) information from business operators through voluntary cooperation.
(177)
Therefore, the Commission should on an on-going basis monitor the situation as regards the legal framework and actual practice for the processing of personal data as assessed in this Decision, including compliance by the Japanese authorities with the representations, assurances and commitments contained in Annex II. To facilitate this process, the Japanese authorities are expected to inform the Commission of material developments relevant to this Decision, both as regards the processing of personal data by business operators and the limitations and safeguards applicable to access to personal data by public authorities. This should include any decisions adopted by the PPC under Article 24 of the APPI recognising a third country as providing an equivalent level of protection to the one guaranteed in Japan.
(178)
Moreover, in order to allow the Commission to effectively carry out its monitoring function, the Member States should inform the Commission about any relevant action undertaken by the national data protection authorities ("DPAs"), in particular regarding queries or complaints by EU data subjects concerning the transfer of personal data from the European Union to business operators in Japan. The Commission should also be informed about any indications that the actions of Japanese public authorities responsible for the prevention, investigation, detection or prosecution of criminal offences, or for national security, including any oversight bodies, do not ensure the required level of protection.
(184)
Where, on the basis of the regular and ad hoc checks or any other information available, the Commission concludes that the level of protection afforded by the Japanese legal order can no longer be regarded as essentially equivalent to that in the European Union, it should inform the competent Japanese authorities thereof and request that appropriate measures be taken within a specified, reasonable timeframe. This includes the rules applicable to both business operators and Japanese public authorities responsible for criminal law enforcement or national security. For example, such a procedure would be triggered in cases where onward transfers, including on the basis of decisions adopted by the PPC under Article 24 of the APPI recognising a third country as providing an equivalent level of protection to the one guaranteed in Japan, will no longer be carried out under safeguards ensuring the continuity of protection within the meaning of Article 44 of the GDPR.
(186)
In particular, the Commission should initiate the procedure for suspension or repeal in case of indications that the Supplementary Rules contained in Annex I are not complied with by business operators receiving personal data under this Decision and/or are not effectively enforced, or that the Japanese authorities fail to comply with the representations, assurances and commitments contained in Annex II to this Decision.