(38)
In order to ensure an adequate level of protection of personal data transferred from the European Union to business operators in Japan, only processing of personal information falling within the scope of Chapter IV of the APPI – i.e. by a PIHBO to the extent the processing situation does not correspond to one of the sectoral exclusions – should be covered by this Decision. Its scope should therefore be aligned to that of the APPI. According to the information received from the PPC, where a PIHBO covered by this Decision subsequently modifies the utilisation purpose (to the extent this is permissible) and would then be covered by one of the sectoral exclusions in Article 76 of the APPI, this would be considered as an international transfer (given that, in such cases, the processing of the personal information would no longer be covered by Chapter IV of the APPI and thus fall outside its scope of application). The same would apply in case a PIHBO provides personal information to an entity covered by Article 76 of the APPI for use for one of the processing purposes indicated in that provision. As regards personal data transferred from the European Union, this would therefore constitute an onward transfer subject to the relevant safeguards (notably those specified in Article 24 of the APPI and Supplementary Rule (4)). Where the PIHBO relies on the data subject's consent (25), it would have to provide him/her with all the necessary information, including that the personal information would no longer be protected by the APPI.
(42)
Moreover, under Article 16(1) of the APPI, PIHBOs are prohibited from handling personal information beyond the "necessary scope to achieve a utilization purpose" specified under Article 15 without obtaining in advance a data subject's consent, unless one of the derogations in Article 16(3) applies (27).
(43)
When it comes to personal information acquired from another business operator, the PIHBO is, in principle, free to set a new utilisation purpose (28). In order to ensure that, in case of a transfer from the European Union, such a recipient is bound by the purpose for which the data was transferred, Supplementary Rule (3) requires that, in cases "where a [PIHBO] receives personal data from the EU based on an adequacy decision" or such an operator "receives from another [PIHBO] personal data previously transferred from the EU based on an adequacy decision" (onward sharing), the recipient has to "specify the purpose of utilising the said personal data within the scope of the utilisation purpose for which the data was originally or subsequently received". In other words, the rule ensures that in a transfer context the purpose specified pursuant to Regulation (EU) 2016/679 continues to determine the processing, and that a change of that purpose at any stage of the processing chain in Japan would require the consent of the EU data subject. While obtaining this consent requires the PIHBO to contact the data subject, where this is not possible the consequence is simply that the original purpose has to be maintained.
(45)
Under the APPI, when a PIHBO collects personal information, it is required to specify the purpose of utilising the personal information in a detailed manner (29) and promptly inform the data subject of (or disclose to the public) this utilisation purpose (30). In addition, Article 17 of the APPI provides that a PIHBO shall not acquire personal information by deceit or other improper means. As regards certain categories of data such as special-care required personal information, their acquisition requires the consent of the data subject (Article 17(2) of the APPI).
(46)
Subsequently, as explained in recitals 41 and 42, the PIHBO is prohibited from processing the personal information for other purposes, except where the data subject consents to such processing or where one of the derogations pursuant to Article 16(3) of the APPI applies.
(47)
Finally, when it comes to the further provision of personal information to a third party (31), Article 23(1) of the APPI limits such disclosure to specific cases, with the prior consent by the data subject as the general rule (32). Article 23(2), (3) and (4) of the APPI provide for exceptions to the requirement to obtain consent. However, these exceptions do only apply to non-sensitive data and require that the business operator in advance informs the individuals concerned of the intention to disclose their personal information to a third party and the possibility to object to any further disclosure (33).
(50)
Furthermore, in case the PIHBO would like to change the purpose as previously specified under Regulation (EU) 2016/679, pursuant to Article 16(1) of the APPI it would have to obtain, in principle, the consent of the data subject. Without that consent, any data processing going beyond the scope necessary for achieving that utilisation purpose would constitute a violation of Article 16(1) that would be enforceable by the PPC and the courts.
(56)
According to Article 19 of the APPI, PIHBOs are required to "strive […] to delete the personal data without delay when such utilisation has become unnecessary". That provision needs to be read in conjunction with Article 16(1) of the APPI prohibiting the handling of personal information beyond "the necessary scope to achieve a utilisation purpose". Once the utilisation purpose has been achieved, processing of personal information cannot be considered necessary anymore and, hence, cannot continue (unless the PIHBO obtains the data subject's consent to do so).
(61)
Article 18(1) of the APPI requires the PIHBO to make information about the utilisation purpose of the personal information acquired available to the data subject, except for "cases where a utilisation purpose has been disclosed in advance to the public". The same obligation applies in case of a permissible change of purpose (Article 18(3)). This also ensures that the data subject is informed of the fact that his/her data has been collected. Although the APPI does not generally require the PIHBO to inform the data subject about the expected recipients of personal information at the stage of collection, such information is a necessary condition for any subsequent disclosure of information to a third party (recipient) based on Article 23(2), hence where this is done without prior consent of the data subject.
(69)
Concerning the additional substantive safeguards applying to special care-required personal information, according to Article 17(2) of the APPI, PIHBOs are not allowed to acquire such type of data without prior consent of the individual concerned, subject only to limited exceptions (38). Furthermore, this category of personal information is excluded from the possibility of third party disclosure based on the procedure provided for under Article 23(2) of the APPI (allowing transmission of data to third parties without the prior consent of the individual concerned).
(71)
As mentioned in footnote 34 (recital 49), PIHBOs are required, under Article 26(1) of the APPI, to verify the identity of a third party providing personal data to them and the "circumstances" under which such data was acquired by the third party (in case of personal data covered by this Decision, according to the APPI and Supplementary Rule (3) those circumstances shall include the fact that the data originates from the European Union as well as the purpose of the original data transfer). Among others, that measure aims at ensuring the lawfulness of data processing throughout the chain of PIHBOs handling the personal data. Furthermore, under Article 26(3) of the APPI, PIHBOs are required to keep a record of the date of receipt and the (mandatory) information received from the third party pursuant to paragraph 1, as well as the name of the individual concerned (data subject), the categories of data processed and, to the extent relevant, the fact that the data subject has given consent for sharing his/her personal data. As specified in Article 18 of the PPC Rules, those records must be preserved for a period of at least one to three years, depending on the circumstances. In the exercise of its tasks, the PPC can require the submission of such records (39).
(76)
A first protection is enshrined in Article 24 of the APPI which generally prohibits the transfer of personal data to a third party outside the territory of Japan without the prior consent of the individual concerned. Supplementary Rule (4) ensures that in the case of data transfers from the European Union such consent will be particularly well informed as it requires that the individual concerned shall be "provided information on the circumstances surrounding the transfer necessary for the principal to make a decision on his/her consent". On that basis, the data subject shall be informed of the fact that the data will be transferred abroad (outside the scope of application of the APPI) and of the specific country of destination. This will allow him/her to assess the risk for privacy involved with the transfer. Also, as can be inferred from Article 23 of the APPI (see recital 47), the information provided to the principal should cover the compulsory items under its paragraph 2, namely the categories of personal data provided to a third party and the method of disclosure.
(77)
Article 24 of the APPI, applied together with Article 11-2 of the PPC Rules, provides several exceptions to this consent-based rule. Furthermore, pursuant to Article 24, the same derogations as those applicable under Article 23(1) of the APPI apply also to international data transfers (46).
(78)
To ensure continuity of protection in case of personal data transferred from the European Union to Japan under this Decision, Supplementary Rule (4) enhances the level of protection for onward transfers of such data by the PIHBO to a third country recipient. It does so by limiting and framing the bases for international transfers that can be used by the PIHBO as an alternative to consent. More specifically, and without prejudice to the derogations set forth in Article 23(1) of the APPI, personal data transferred under this Decision may be subject to (onward) transfers without consent only in two cases: (i) where the data is sent to a third country which has been recognised by the PPC under Article 24 of the APPI as providing an equivalent level of protection to the one guaranteed in Japan (47); or (ii) where the PIHBO and the third party recipient have together implemented measures providing a level of protection equivalent to the APPI, read together with the Supplementary Rules, by means of a contract, other forms of binding agreements or binding arrangements within a corporate group. The second category corresponds to the instruments used under Regulation (EU) 2016/679 to ensure appropriate safeguards (in particular, contractual clauses and binding corporate rules). In addition, as confirmed by the PPC, even in those cases, the transfer remains subject to the general rules applicable to any provision of personal data to a third party under the APPI (i.e. the requirement to obtain consent under Article 23(1) or, alternatively, the information requirement with a possibility to opt out under Article 23(2) of the APPI). In case the data subject cannot be reached with a request for consent or in order to provide the required advance information under Article 23(2) of the APPI, the transfer may not take place.
(87)
Third, pursuant to Article 30(1) and (2) of the APPI a data subject has a right to request from a PIHBO to discontinue using personal information, or to delete such information, when it is handled in violation of Article 16 (regarding purpose limitation) or has been improperly acquired in violation of Article 17 of the APPI (regarding acquisition by deceit, other improper means or, in case of sensitive data, without consent). Likewise, under Article 30(3) and (4) of the APPI, the individual has a right to request from the PIHBO to cease the provision of the information to a third party where this would violate the provisions of Article 23(1) or Article 24 of the APPI (regarding third party provision, including international transfers).
(89)
Differently from EU law, the APPI and relevant sub-statutory rules do not contain legal provisions specifically addressing the possibility to oppose processing for direct marketing purposes. However, such processing will, under this Decision, take place in the context of a transfer of personal data that was previously collected in the European Union. Under Article 21(2) of Regulation (EU) 2016/679, the data subject shall always have the possibility to oppose a transfer of data for the purpose of processing for direct marketing. Moreover, as explained in recital 43, under Supplementary Rule (3), a PIHBO is required to process the data received under the Decision for the same purpose for which the data have been transferred from the European Union, unless the data subject consents to change the utilisation purpose.Hence, if the transfer has been made for any purpose other than direct marketing, a PIHBO in Japan will be barred from processing the data for the purpose of direct marketing without consent of the EU data subject.
(92)
Finally, the individual may object to the provision of his/her personal information to a third party under Article 23(2) of the APPI, or refuse consent under Article 23(1) (thus preventing disclosure in case no other legal basis would be available). Likewise, the individual can stop the processing of data for a different purpose by refusing to provide consent pursuant to Article 16(1) of the APPI.
(96)
In Japan, the authority in charge of monitoring and enforcing the APPI is the PPC. It is composed of a Chairperson and eight Commissioners appointed by the Prime Minister with the consent of both Houses of the Diet. The term of office for the Chairperson and each of the Commissioners is five years, with the possibility for reappointment (Article 64 of the APPI). Commissioners may only be dismissed for good cause in a limited set of exceptional circumstances (57) and must not be actively engaged in political activities. Moreover, under the APPI, full-time Commissioners must abstain from any other remunerated activities, or business activities. All Commissioners are also subject to internal rules preventing them from participation in deliberations in case of a possible conflict of interests. The PPC is assisted by a Secretariat, led by a Secretary-General, that has been established for the purpose of carrying out the tasks assigned to the PPC (Article 70 of the APPI). Both the Commissioners and all officials in the Secretariat are bound by strict rules of secrecy (Articles 72, 82 of the APPI).
(99)
Although not all provisions of Chapter IV, Section 1 of the APPI are listed in Article 42(1) – which also determines the scope of application of Article 42(2) – this can be explained by the fact that certain of those provisions do not concern obligations of the PIHBO (59) and that all essential protections are already afforded by other provisions that are included in that list. For instance, although Article 15 (requiring the PIHBO to set the utilisation purpose and process the relevant personal information exclusively within its scope) is not mentioned, failure to observe this requirement can give ground to a recommendation based on a violation of Article 16(1) (prohibiting the PIHBO to process personal information beyond what is necessary to achieve the utilisation purpose, unless it obtains the data subject's consent) (60). Another provision not listed in Article 42(1) is Article 19 of the APPI on data accuracy and retention. Non-compliance with that provision can be enforced either as a violation of Article 16(1) or based on a violation of Article 29(2), if the individual concerned asks for the correction or deletion of erroneous or excessive data and the PIHBO refuses to satisfy the request. As regards the rights of the data subject according to Articles 28(1), 29(1) and 30(1), oversight by the PPC is ensured by granting it enforcement powers with respect to the corresponding obligations of the PIHBO laid down in those Articles.
(116)
Importantly, Article 21(2) of the Constitution guarantees the secrecy of all means of communication, with limitations only allowed by legislation on public interest grounds. Article 4 of the Telecommunications Business Act, according to which the secrecy of communications handled by a telecommunications carrier shall not be violated, implements this confidentiality requirement at the level of statutory law. This has been interpreted as prohibiting the disclosure of communications information, except with the consent of users or if based on one of the explicit exemptions from criminal liability under the Penal Code (77).
(121)
As indicated in recital 115, any data collection as part of a coercive investigation must be specifically authorised by law and may only be carried out based on a court warrant "issued for adequate cause" (Article 35 of the Constitution). As regards the investigation of criminal offences, this requirement is reflected in the provisions of the Code of Criminal Procedure ("CCP"). According to Article 197(1) of the CCP, compulsory measures "shall not be applied unless special provisions have been established in this Code". With respect to the collection of electronic information, the only relevant (82) legal bases in this regard are Article 218 of the CCP (search and seizure) and Article 222-2 of the CCP, according to which compulsory measures for the interception of electronic communications without the consent of either party shall be executed based upon other acts, namely the Act on Wiretapping for Criminal Investigation ("Wiretapping Act"). In both cases, the warrant requirement applies.
(126)
To the extent such a request is directed at a business operator and concerns personal information, the business operator has to comply with the requirements of the APPI. According to Article 23(1) of the APPI, business operators may disclose personal information to third parties without consent of the individual concerned only in certain cases, including where the disclosure is "based on laws and regulations" (89). In the area of criminal law enforcement, the legal basis for such requests is provided by Article 197(2) of the CCP according to which "private organisations may be asked to report on necessary matters relating to the investigation." Since such an "enquiry sheet" is permissible only as part of a criminal investigation, it always presupposes a concrete suspicion of an already committed crime (90). Moreover, since such investigations are generally carried out by the Prefectural Police, the limitations pursuant to Article 2(2) of the Police Law (91) apply. According to that provision, the activities of the police are "strictly limited" to the fulfilment of their responsibilities and duties (that is to say the prevention, suppression and investigation of crimes). Moreover, in performing its duties, the police shall act in an impartial, unprejudiced and fair manner and must never abuse its powers "in such a way as to interfere with the rights and liberties of an individual guaranteed in the Constitution of Japan" (which include, as indicated, the right to privacy and data protection) (92).
(135)
Third, also within the executive branch the Prefectural Police is subject to independent oversight. That includes in particular the Prefectural Public Safety Commissions established at prefectural level to ensure democratic administration and political neutrality of the police (108). These commissions are composed of members appointed by the Prefectural Governor with the consent of the Prefectural Assembly (from among citizens with no public servant position in the police in the five preceding years) and have a secure term of office (in particular only dismissal for good cause) (109). According to the information received, they are not subject to instructions, and thus can be considered as fully independent (110). As regards the tasks and powers of the Prefectural Public Safety Commissions, pursuant to Article 38(3) in conjunction with Articles 2 and 36(2) of the Police Law they are responsible for "the protection of [the] rights and freedom of an individual". To this effect, they are empowered to “supervise” (111) all investigatory activities of the Prefectural Police, including the collection of personal data. Notably, the commissions "may direct the [P]refectural [P]olice in detail or in a specific individual case of inspection of police personnel's misconduct, if necessary" (112). When the Chief of the Prefectural Police (113) receives such a direction or by him-/herself becomes aware of a possible case of misconduct (including the violation of laws or other neglect of duties), (s)he has to promptly inspect the case and report the inspection result to the Prefectural Public Safety Commission (Article 56(3) of the Police Law). Where the latter considers this necessary, it may also designate one of its members to review the status of implementation. The process continues until the Prefectural Public Safety Commission is satisfied that the incident has been appropriately addressed.
(167)
In any event, the Administrative Organ has to take a written decision within a certain period (30 days, which under certain conditions can be extended by an additional 30 days). If the request is rejected, only partially granted, or if the individual for other reasons considers the conduct of the Administrative Organ to be "illegal or unjust", the individual may request administrative review based on the Administrative Complaint Review Act (141). In such a case, the head of the Administrative Organ deciding on the appeal shall consult the Information Disclosure and Personal Information Protection Review Board (Articles 42, 43 APPIHAO), a specialised, independent board whose members are appointed by the Prime Minister with consent of both Houses of the Diet. According to the information received, the Review Board may carry out an examination (142) and in this respect request the Administrative Organ to provide the retained personal information, including any classified content, as well as further information and documents. While the ultimate report sent to the complainant as well as the Administrative Organ and made public is not legally binding, it is in almost all cases followed (143). Moreover, the individual has the possibility to challenge the appeal decision in court based on the Administrative Case Litigation Act. This opens the way for judicial control of the use of the national security exception(s), including of whether such an exception has been abused or is still justified.
(181)
To this end, this Decision should be subject to a first review within two years after its entry into force. Following that first review, and depending on its outcome, the Commission will decide in close consultation with the Committee established under Article 93(1) of the GDPR whether the two-year-cycle should be maintained. In any case, the subsequent reviews should take place at least every four years (151). The review should cover all aspects of the functioning of this Decision, and in particular the application of the Supplementary Rules (with special attention paid to protections afforded in case of onward transfers), the application of the rules on consent, including in case of withdrawal, the effectiveness of the exercise of individual rights, as well as the limitations and safeguards with respect to government access, including the redress mechanism as set out in Annex II to this Decision. It should also cover the effectiveness of oversight and enforcement, as regards the rules applicable to both PIHBOs and in the area of criminal law enforcement and national security.