(1)
Regulation (EU) 2016/679 sets out the rules for the transfer of personal data from controllers or processors in the European Union to third countries and international organisations to the extent that such transfers fall within its scope. The rules on international transfers of personal data are laid down in Chapter V of that Regulation, more specifically in Articles 44 to 50. The flow of personal data to and from countries outside the European Union is necessary for the expansion of international cooperation and international trade, while guaranteeing that the level of protection afforded to personal data in the European Union is not undermined.
(5)
This Decision has the effect that transfers from a controller or processor in the European Economic Area (EEA) (7) to such organisations in Japan may take place without the need to obtain any further authorisation. This Decision does not affect the direct application of Regulation (EU) 2016/679 to such organisations when the conditions of its Article 3 are fulfilled.
(35)
Under the APPI, no specific distinction is drawn between the obligations imposed on controllers and processors. The absence of this distinction does not affect the level of protection because all PIHBOs are subject to all provisions of the Act. A PIHBO that entrusts the handling of personal data to a trustee (the equivalent of a processor under the GDPR) remains subject to the obligations under the APPI and Supplementary Rules with regard to the data it has entrusted. Additionally, under Article 22 of the APPI, it is bound to "exercise necessary and appropriate supervision" over the trustee. In turn, as the PPC has confirmed, the trustee is itself bound by all the obligations in the APPI and the Supplementary Rules.
(58)
This principle is implemented in Japanese law by Article 20 of the APPI, providing that a PIHBO "shall take necessary and appropriate action for the security control of personal data including preventing the leakage, loss or damage of its handled personal data." The PPC Guidelines explain the measures to be taken, including the methods for the establishment of basic policies, data handling rules and various "control actions" (regarding organisational safety as well as human, physical and technological security) (35). In addition, the PPC Guidelines and a dedicated Notice (Appendix 8 on "Contents of the safety management measures that have to be taken") published by the PPC provide more details on measures concerning security incidents involving, for example, the leakage of personal information, as part of the security management measures to be taken by PIHBOs (36).
(59)
Furthermore, whenever personal information is handled by employees or sub-contractors, "necessary and appropriate supervision" must be ensured under Articles 20 and 21 of the APPI for security control purposes. Finally, pursuant to Article 83 of the APPI, intentional leakage or theft of personal information is punishable by a sanction of up to one year of imprisonment.
(64)
Both the requirements of Article 18 and the obligation to inform about the utilisation purpose under Article 27 of the APPI are subject to the same set of exceptions, mostly based on public interest considerations and the protection of rights and interests of the data subject, third parties and the controller (37). According to the interpretation developed in the PPC Guidelines, those exceptions apply in very specific situations, such as where information on the utilisation purpose would risk undermining legitimate measures taken by the business operator to protect certain interests (e.g. fight against fraud, industrial espionage, sabotage).
(93)
Differently from EU law, the APPI and relevant sub-statutory rules do not contain general provisions addressing the issue of decisions affecting the data subject and based solely on the automated processing of personal data. However, the issue is addressed in certain sectoral rules applicable in Japan that are particularly relevant for this type of processing. This includes sectors in which companies most likely resort to the automated processing of personal data to take decisions affecting individuals (e.g. the financial sector). For example, the "Comprehensive Guidelines for Supervision over Major Banks", as revised in June 2017, require that the concerned individual be provided with specific explanations on the reasons for the rejection of a request to conclude a loan agreement. Those rules thus offer protections in the likely rather limited number of cases where automated decisions would be taken by the "importing" Japanese business operator itself (rather than the "exporting" EU data controller).
(94)
In any event, as regards personal data that has been collected in the European Union, any decision based on automated processing will typically be taken by the data controller in the Union (which has a direct relationship with the concerned data subject) and is thus subject to Regulation (EU) 2016/679 (56). This includes transfer scenarios where the processing is carried out by a foreign (e.g. Japanese) business operator acting as an agent (processor) on behalf of the EU controller (or as a sub-processor acting on behalf of the EU processor having received the data from an EU controller that collected it) which on this basis then takes the decision. Therefore, the absence of specific rules on automated decision making in the APPI is unlikely to affect the level of protection of the personal data transferred under this Decision.
(101)
The Supplementary Rules further clarify and strengthen the PPC's enforcement powers. More specially, in cases involving data imported from the European Union, the PPC will always consider a PIHBO's failure to take action in line with a recommendation issued by the APPI pursuant to Article 42(1), without legitimate ground, as a serious infringement of an imminent nature of an individual's rights and interests within the meaning of Article 42(2), and therefore as an infringement warranting the issuance of a binding order. Moreover, as a "legitimate ground" for not complying with a recommendation the PPC will only accept an "event of an extraordinary nature [preventing compliance] outside the control of the [PIHBO] which cannot be reasonably foreseen (for example, natural disasters)" or cases where the necessity to take action concerning a recommendation "has disappeared because the [PIHBO] has taken alternative action that fully remedies the violation".
(104)
Before or instead of seeking administrative or judicial redress, an individual may decide to submit a complaint about the processing of his/her personal data to the controller itself. Based on Article 35 of the APPI, PIHBOs shall endeavour to deal with such complaints "appropriately and promptly" and establish internal complaint-handling systems to achieve this objective. In addition, under Article 61(ii) of the APPI the PPC is responsible for the "necessary mediation on a lodged complaint and cooperation offered to a business operator who deals with the complaint", which in both cases includes complaints submitted by foreigners. In this regard, the Japanese legislator has also entrusted the central government with the task of taking "necessary action" to enable and facilitate the resolution of complaints by PIHBOs (Article 9), while local governments shall endeavour to ensure mediation in such cases (Article 13). In that respect, individuals may lodge a complaint with one of the more than 1 700 consumer centres established by local governments based on the Consumer Safety Act (61), in addition to the possibility of lodging a complaint with the National Consumer Affairs Centre of Japan. Such complaints may also be brought with respect to a violation of the APPI. Under Article 19 of the Basic Consumer Act (62), local governments shall endeavour to engage in mediation with respect to complaints and provide the parties with necessary expertise. Those dispute resolution mechanisms appear quite effective, with a resolution rate of 91,2 % concerning more than 75 000 complaint cases in 2015.
(146)
Fourth, as a more indirect form of judicial control, an individual who considers that the collection of his/her personal information as part of a criminal investigation was illegal may, at his/her criminal trial, invoke this illegality. If the court agrees, this will lead to the exclusion of the evidence as inadmissible.
(155)
Finally, the PSIA may carry out investigations under the Subversive Activities Prevention Act ("SAPA") and the Act on the Control of Organisations Which Have Committed Acts of Indiscriminate Mass Murder ("ACO") where such investigations are necessary to prepare the adoption of control measures against certain organisations (126). Under both Acts, upon request by the Director-General of the PSIA the Public Security Examination Commission may issue certain "dispositions" (surveillance/prohibitions in the case of the ACO (127), dissolution/prohibitions in the case of the SAPA (128) and in this context the PSIA may carry out investigations (129). According to the information received, these investigations are always conducted on a voluntary basis, meaning that the PSIA may not force an owner of personal information to provide such information (130). Each time, controls and investigations shall be conducted only to the minimum extent necessary to achieve the control purpose and shall not under any circumstances be carried out to "unreasonably" restrict the rights and freedoms guaranteed under the Constitution of Japan (Article 3(1) of SAPA/ACO). Moreover, according to Article 3(2) of the SAPA/ACO, the PSIA must under no circumstances abuse such controls, or the investigations carried out to prepare such controls. If a Public Security Intelligence Officer has abused his/her authority under the respective Act by forcing a person to do anything which the person is not required to, or by interfering with the exercise of a person's rights, (s)he may be subject to criminal sanctions pursuant to Article 45 SAPA or Article 42 ACO. Finally, both Acts explicitly prescribe that their provisions, including the powers granted therein, shall "not under any circumstances be subject to an expanded interpretation" (Article 2 of SAPA/ACO).
(167)
In any event, the Administrative Organ has to take a written decision within a certain period (30 days, which under certain conditions can be extended by an additional 30 days). If the request is rejected, only partially granted, or if the individual for other reasons considers the conduct of the Administrative Organ to be "illegal or unjust", the individual may request administrative review based on the Administrative Complaint Review Act (141). In such a case, the head of the Administrative Organ deciding on the appeal shall consult the Information Disclosure and Personal Information Protection Review Board (Articles 42, 43 APPIHAO), a specialised, independent board whose members are appointed by the Prime Minister with consent of both Houses of the Diet. According to the information received, the Review Board may carry out an examination (142) and in this respect request the Administrative Organ to provide the retained personal information, including any classified content, as well as further information and documents. While the ultimate report sent to the complainant as well as the Administrative Organ and made public is not legally binding, it is in almost all cases followed (143). Moreover, the individual has the possibility to challenge the appeal decision in court based on the Administrative Case Litigation Act. This opens the way for judicial control of the use of the national security exception(s), including of whether such an exception has been abused or is still justified.