(24)
As regards the first of those two categories, it is explained in Article 4 of the Cabinet Order and covers four types of exemptions (20). These exemptions pursue similar objectives as those listed in Article 23(1) of Regulation (EU) 2016/679, notably protection of the data subject ("principal" in the terminology of the APPI) and the freedom of others, national security, public security, criminal law enforcement or other important objectives of general public interest. In addition, it results from the wording of Article 4(1)(i)-(iv) of the Cabinet Order that their application always presupposes a specific risk for one of the protected important interests (21).
(66)
"Special care-required personal information" is defined in Article 2(3) of the APPI. That provision refers to "personal information comprising a principal's race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc. prescribed by Cabinet Order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the principal". These categories correspond for a large part to the list of sensitive data under Articles 9 and 10 of Regulation (EU) 2016/679. In particular, "medical history" corresponds to health data, while "criminal record and the fact of having suffered damage by a crime" are substantially the same as the categories referred to in Article 10 of Regulation (EU) 2016/679. The categories referred to in Article 2(3) of the APPI are subject to further interpretation in the Cabinet Order and PPC Guidelines. According to section 2.3 point (8) of the PPC Guidelines, the sub-categories of "medical history" detailed in Article 2(ii) and (iii) of the Cabinet Order are interpreted as covering genetic and biometric data. Also, while the list does not expressly include the terms "ethnic origin" and "political opinion", it does include references to "race" and "creed". As explained in section 2.3 points (1) and (2) of the PPC Guidelines, reference to "race" covers "ethnic ties or ties to a certain part of the world", while "creed" is understood as including both religious and political views.
(105)
Violations of the provisions of the APPI by a PIHBO can give rise to civil actions as well as criminal proceedings and sanctions. First, if an individual considers that his/her rights under Articles 28, 29 and 30 of the APPI have been infringed, (s)he may seek injunctive relief by asking the court to order a PIHBO to satisfy his/her request under one of these provisions, i.e. to disclose retained personal data (Article 28), to rectify retained personal data that is incorrect (Article 29) or to cease unlawful processing or third party provision (Article 30). Such an action may be brought without the need to rely on Article 709 of the Civil Code (63) or otherwise on tort law (64). In particular, this means that the individual does not have to prove any harm.
(108)
Third, in addition to civil law (tort) remedies, a data subject may file a complaint with a public prosecutor or judicial police official with respect to APPI violations that can lead to criminal sanctions. Chapter VII of the APPI contains a number of penal provisions. The most important one (Article 84) relates to non-compliance by the PIHBO with PPC orders pursuant to Article 42(2) and (3). If a business operator fails to comply with an order issued by the PPC, the PPC Chair (as well as any other government official) (66) may forward the case to the public prosecutor or judicial police official and in that way trigger the opening of a criminal procedure. The penalty for the violation of a PPC order is imprisonment with labour for up to six months or a fine of up to 300 000 yen. Other provisions of the APPI providing for sanctions in case of APPI violations affecting the rights and interests of data subjects include Article 83 of the APPI (regarding the "providing or using by stealth" of a personal information database "for the purpose of seeking […] illegal profits") and Article 88(i) of the APPI (regarding the failure by a third party to correctly inform the PIHBO when the latter receives personal data in accordance with Article 26(1) of the APPI, in particular on the details of the third party's own, prior acquisition of such data). The applicable penalties for such violations of the APPI are, respectively, imprisonment with work for up to one year or a fine of up to 500 000 yen (in case of Article 83) or an administrative fine of up to 100 000 yen (in case of Article 88(i)). While the threat of a criminal sanction is already likely to have a strong deterrent effect on the business management that directs the PIHBO's processing operations as well as on the individuals handling the data, Article 87 of the APPI clarifies that when a representative, employee or other worker of a corporate body has committed a violation pursuant to Articles 83 to 85 of the APPI, "the actor shall be punished and a fine set forth in the respective Articles shall be imposed on the said corporate body". In this case, both the employee and the company can be imposed sanctions up to the full maximum amount.
(102)
Non-compliance with a PPC order is considered as a criminal offence under Article 84 of the APPI and a PIHBO found guilty can be punished by imprisonment with labour for up to six months or a fine of up to 300 000 yen. Furthermore, pursuant to Article 85(i) of the APPI, lack of cooperation with the PPC or obstruction to its investigation is punishable with a fine of up to 300 000 yen. These criminal sanctions apply in addition to those that may be imposed for substantive violations of the APPI (see recital 108).
(114)
As an exercise of public authority, government access in Japan must be carried out in full respect of the law (legality principle). In this regard, the Constitution of Japan contains provisions limiting and framing the collection of personal data by public authorities. As already mentioned with respect to processing by business operators, basing itself on Article 13 of the Constitution which among others protects the right to liberty, the Supreme Court of Japan has recognised the right to privacy and data protection (72). One important aspect of that right is the freedom not to have one's personal information disclosed to a third party without permission (73). This implies a right to the effective protection of personal data against abuse and (in particular) illegal access. Additional protection is ensured by Article 35 of the Constitution on the right of all persons to be secure in their homes, papers and effects, which requires from public authorities to obtain a court warrant issued for "adequate cause" (74) in all cases of "searches and seizures". In its judgment of 15 March 2017 (GPS case), the Supreme Court has clarified that this warrant requirement applies whenever the government invades ("enters into") the private sphere in a way that suppresses the individual's will and thus by means of a "compulsory investigation". A judge may only issue such warrant based on a concrete suspicion of crimes, i.e. when provided with documentary evidence based on which the person concerned by the investigation can be considered as having committed a criminal offence (75). Consequently, Japanese authorities have no legal authority to collect personal information by compulsory means in situations where no violation of the law has yet occurred (76), for example in order to prevent a crime or other security threat (as is the case for investigations on grounds of national security).
(115)
Under the reservation of law principle, any data collection as part of a coercive investigation must be specifically authorised by law (as reflected, for instance, in Article 197(1) of the Code of Criminal Procedure ("CCP") regarding the compulsory collection of information for the purposes of a criminal investigation). This requirement applies also to access to electronic information.
(116)
Importantly, Article 21(2) of the Constitution guarantees the secrecy of all means of communication, with limitations only allowed by legislation on public interest grounds. Article 4 of the Telecommunications Business Act, according to which the secrecy of communications handled by a telecommunications carrier shall not be violated, implements this confidentiality requirement at the level of statutory law. This has been interpreted as prohibiting the disclosure of communications information, except with the consent of users or if based on one of the explicit exemptions from criminal liability under the Penal Code (77).
(118)
As regards specifically the right to data protection, Chapter III, Sections 1, 2 and 3 of the APPI lays down general principles covering all sectors, including the public sector. In particular, Article 3 of the APPI provides that all personal information must be handled in accordance with the principle of respect for the personality of individuals. Once personal information, including as part of electronic records, has been collected ("obtained") by public authorities (78), its handling is governed by the Act on the Protection of Personal Information held by Administrative Organs ("APPIHAO") (79). This includes in principle (80) also the processing of personal information for criminal law enforcement or national security purposes. Among others, the APPIHAO provides that public authorities: (i) may only retain personal information to the extent this is necessary for carrying out their duties; (ii) shall not use such information for an "unjust" purpose or disclose it to a third person without justification; (iii) shall specify the purpose and not change that purpose beyond what can reasonably be considered as relevant for the original purpose (purpose limitation); (iv) shall in principle not use or provide a third person with the retained personal information for other purposes and, if they consider this necessary, impose restrictions on the purpose or method of use by third parties; (v) shall endeavour to ensure the correctness of the information (data quality); (vi) shall take the necessary measures for the proper management of the information and to prevent leakage, loss or damage (data security); and (vii) shall endeavour to properly and expeditiously process any complaints regarding the processing of the information (81).
(119)
Japanese law contains a number of limitations on the access and use of personal data for criminal law enforcement purposes as well as oversight and redress mechanisms that provide sufficient safeguards for that data to be effectively protected against unlawful interference and the risk of abuse.
(120)
In the Japanese legal framework, the collection of electronic information for criminal law enforcement purposes is permissible based on a warrant (compulsory collection) or a request for voluntary disclosure.
(121)
As indicated in recital 115, any data collection as part of a coercive investigation must be specifically authorised by law and may only be carried out based on a court warrant "issued for adequate cause" (Article 35 of the Constitution). As regards the investigation of criminal offences, this requirement is reflected in the provisions of the Code of Criminal Procedure ("CCP"). According to Article 197(1) of the CCP, compulsory measures "shall not be applied unless special provisions have been established in this Code". With respect to the collection of electronic information, the only relevant (82) legal bases in this regard are Article 218 of the CCP (search and seizure) and Article 222-2 of the CCP, according to which compulsory measures for the interception of electronic communications without the consent of either party shall be executed based upon other acts, namely the Act on Wiretapping for Criminal Investigation ("Wiretapping Act"). In both cases, the warrant requirement applies.
(123)
As regards the interception of communications, Article 3 of the Wiretapping Act authorises such measures only under strict requirements. In particular, the public authorities have to obtain a prior court warrant that may only be issued for the investigation of specific serious crimes (listed in the Annex to the Act) (85) and when it is "extremely difficult to identify the criminal or clarify the situations/details of the perpetration by any other ways" (86). Under Article 5 of the Wiretapping Act, the warrant is issued for a limited period of time and additional conditions may be imposed by the judge. Moreover, the Wiretapping Act provides for a number of further guarantees, such as for instance the necessary attendance of witnesses (Articles 12, 20), the prohibition to wiretap the communications of certain privileged groups (e.g. doctors, lawyers) (Article 15), the obligation to terminate the wiretapping if it is no longer justified, even within the period of validity of the warrant (Article 18), or the general requirement to notify the individual concerned and allow access to the records within thirty days after the wiretapping has been terminated (Articles 23, 24).
(126)
To the extent such a request is directed at a business operator and concerns personal information, the business operator has to comply with the requirements of the APPI. According to Article 23(1) of the APPI, business operators may disclose personal information to third parties without consent of the individual concerned only in certain cases, including where the disclosure is "based on laws and regulations" (89). In the area of criminal law enforcement, the legal basis for such requests is provided by Article 197(2) of the CCP according to which "private organisations may be asked to report on necessary matters relating to the investigation." Since such an "enquiry sheet" is permissible only as part of a criminal investigation, it always presupposes a concrete suspicion of an already committed crime (90). Moreover, since such investigations are generally carried out by the Prefectural Police, the limitations pursuant to Article 2(2) of the Police Law (91) apply. According to that provision, the activities of the police are "strictly limited" to the fulfilment of their responsibilities and duties (that is to say the prevention, suppression and investigation of crimes). Moreover, in performing its duties, the police shall act in an impartial, unprejudiced and fair manner and must never abuse its powers "in such a way as to interfere with the rights and liberties of an individual guaranteed in the Constitution of Japan" (which include, as indicated, the right to privacy and data protection) (92).
(127)
Specifically with respect to Article 197(2) of the CCP, the National Police Agency ("NPA") – as the federal authority in charge, among others, of all matters concerning the criminal police – has issued instructions to the Prefectural Police (93) on the "proper use of written inquiries in investigative matters". According to this Notification, requests must be made using a pre-established form ("Form No. 49" or so-called "enquiry sheet") (94), concern records "regarding a specific investigation" and the requested information must be "necessary for [that] investigation". In each case, the chief investigator shall "fully examine the necessity, content, etc. of [the] individual enquiry" and must receive internal approval from a high-ranking official.
(129)
Aside from these limitations for the exercise of public authority, business operators themselves are expected to check ("confirm") the necessity and "rationality" of the provision to a third party (99). This includes the question whether they are prevented by law from cooperating. Such conflicting legal obligations may in particular follow from confidentiality obligations such as Article 134 of the Penal Code (concerning the relationship between a doctor, lawyer, priest, etc. and his/her client). Also, "any person engaged in the telecommunication business shall, while in office, maintain the secrets of others that have come to be known with respect to communications being handled by the telecommunication carrier" (Article 4(2) of the Telecommunication Business Act). This obligation is backed-up by the sanction stipulated in Article 179 of the Telecommunication Business Act, according to which any person that has violated the secrecy of communications being handled by a telecommunications carrier shall be guilty of a criminal offence and punished by imprisonment with labour of up to two years, or to a fine of not more than one million yen (100). While this requirement is not absolute and in particular allows for measures infringing the secrecy of communications that constitute "justifiable acts" within the meaning of Article 35 of the Penal Code (101), this exception does not cover the response to non-compulsory requests by public authorities for the disclosure of electronic information pursuant to Article 197(2) of the CCP.
(131)
In Japan, the collection of electronic information in the area of criminal law enforcement foremost (103) falls within the responsibilities of the Prefectural Police (104), which in this regard is subject to various layers of oversight.
(138)
First, with respect to personal information collected by Administrative Organs, the latter are under an obligation to "endeavour to properly and expeditiously process any complaints" regarding its subsequent processing (Article 48 of the APPIHAO). While Chapter IV of the APPIHAO on individual rights is not applicable with respect to personal information recorded in "documents relating to trials and seized articles" (Article 53-2(2) of the CCP) – which covers personal information collected as part of criminal investigations – individuals may bring a complaint to invoke the general data protection principles such as for instance the obligation to only retain personal information "when the retention is necessary for performing [law enforcement functions]" (Article 3(1) of the APPIHAO).
(141)
Second, given that redress will naturally have to be sought abroad in a foreign system and in a foreign language, in order to facilitate redress for EU individuals whose personal data is transferred to business operators in Japan and then accessed by public authorities, the Japanese government has made use of its powers to create a specific mechanism, administered and supervised by PPC, for handling and resolving complaints in this field. That mechanism builds on the cooperation obligation imposed on Japanese public authorities under the APPI and the special role of the PPC with respect to international data transfers from third countries under Article 6 of the APPI and the Basic Policy (as established by the Japanese government through Cabinet Order). The details of this mechanism are set out in the official representations, assurances and commitments received from the Japanese government and attached to this Decision as Annex II. The mechanism is not subject to any standing requirement and is open to any individual, independently of whether (s)he is suspected or accused of a criminal offence.
(142)
Under the mechanism, an individual who suspects that his/her data transferred from the European Union has been collected or used by public authorities in Japan (including those responsible for criminal law enforcement) in violation of the applicable rules can submit a complaint to the PPC (individually or though his/her data protection authority within the meaning of Article 51 of the GDPR). The PPC will be under an obligation to handle the complaint and in a first step inform the competent public authorities, including the relevant oversight bodies, thereof. Those authorities are required to cooperate with the PPC, "including by providing the necessary information and relevant material, so that the PPC can evaluate whether the collection or the subsequent use of personal information has taken place in compliance with the applicable rules" (117). This obligation, derived from Article 80 of the APPI (requiring Japanese public authorities to co-operate with PPC), applies in general and hence extends to the review of any investigatory measures taken by such authorities, which moreover have committed to such cooperation through written assurances from the competent ministries and agency heads, as reflected in Annex II.
(146)
Fourth, as a more indirect form of judicial control, an individual who considers that the collection of his/her personal information as part of a criminal investigation was illegal may, at his/her criminal trial, invoke this illegality. If the court agrees, this will lead to the exclusion of the evidence as inadmissible.
(150)
This includes making use of the procedural rights under the Code of Criminal Procedure. For instance, "[w]here the evaluation reveals that an individual is a suspect in a criminal case, the PPC will inform the individual about that fact" (123) as well as the possibility pursuant to Article 259 of the CCP to ask the prosecution to be notified once the latter has decided not to initiate criminal proceedings. Also, if the evaluation reveals that a case involving the personal information of the individual has been opened and that the case is concluded, the PPC will inform the individual that the case record can be inspected pursuant to Article 53 of the CCP (and Article 4 of the Act on Final Criminal Case Records). Gaining access to his/her case record is important as it will help the individual to better understand the investigation carried out against him/her and thus to prepare an eventual court action (e.g. a damages claim) in case (s)he considers his/her data was unlawfully collected or used.
(151)
According to the Japanese authorities, there is no law in Japan permitting compulsory requests for information or "administrative wiretapping" outside criminal investigations. Hence, on national security grounds information may only be obtained from an information source that can be freely accessed by anyone or by voluntary disclosure. Business operators receiving a request for voluntary cooperation (in the form of disclosure of electronic information) are under no legal obligation to provide such information (124).
(155)
Finally, the PSIA may carry out investigations under the Subversive Activities Prevention Act ("SAPA") and the Act on the Control of Organisations Which Have Committed Acts of Indiscriminate Mass Murder ("ACO") where such investigations are necessary to prepare the adoption of control measures against certain organisations (126). Under both Acts, upon request by the Director-General of the PSIA the Public Security Examination Commission may issue certain "dispositions" (surveillance/prohibitions in the case of the ACO (127), dissolution/prohibitions in the case of the SAPA (128) and in this context the PSIA may carry out investigations (129). According to the information received, these investigations are always conducted on a voluntary basis, meaning that the PSIA may not force an owner of personal information to provide such information (130). Each time, controls and investigations shall be conducted only to the minimum extent necessary to achieve the control purpose and shall not under any circumstances be carried out to "unreasonably" restrict the rights and freedoms guaranteed under the Constitution of Japan (Article 3(1) of SAPA/ACO). Moreover, according to Article 3(2) of the SAPA/ACO, the PSIA must under no circumstances abuse such controls, or the investigations carried out to prepare such controls. If a Public Security Intelligence Officer has abused his/her authority under the respective Act by forcing a person to do anything which the person is not required to, or by interfering with the exercise of a person's rights, (s)he may be subject to criminal sanctions pursuant to Article 45 SAPA or Article 42 ACO. Finally, both Acts explicitly prescribe that their provisions, including the powers granted therein, shall "not under any circumstances be subject to an expanded interpretation" (Article 2 of SAPA/ACO).
(162)
As regards the Prefectural Police, oversight is ensured by the independent Prefectural Public Safety Commissions, as explained in recital 135 with respect to criminal law enforcement.
(166)
Moreover, unlike for criminal investigations, individuals (including foreign nationals living abroad) have in principle a right to disclosure (139), correction (including deletion) and suspension of use/provision under the APPIHAO. This being said, the head of the Administrative Organ may refuse disclosure with respect to information "for which there are reasonable grounds […] to find that disclosure is likely to cause harm to national security" (Article 14(iv) APPIHAO) and may even do so without revealing the existence of such information (Article 17 APPIHAO). Likewise, while an individual may request suspension of use or deletion pursuant to Article 36(1)(i) APPIHAO in case the Administrative Organ has obtained the information unlawfully or retains/uses it beyond what is necessary to achieve the specified purpose, the authority may reject the request if it finds that the suspension of use "is likely to hinder the proper execution of the affairs pertaining to the Purpose of Use of the Retained Personal Information due to the nature of the said affairs" (Article 38 APPIHAO). Still, where it is possible to easily separate and exclude portions that are subject to an exception, Administrative Organs are required to grant at least partial disclosure (see e.g. Article 15(1) APPIHAO) (140).
(169)
As is the case for investigations in the area of criminal law enforcement, also in the area of national security individuals may obtain individual redress by directly contacting the PPC. This will trigger the specific dispute resolution procedure that the Japanese government has created for EU individuals whose personal data is transferred under this Decision (see detailed explanations in recitals 141 to 144, 149).
(113)
The Commission has also assessed the limitations and safeguards, including the oversight and individual redress mechanisms available in Japanese law as regards the collection and subsequent use of personal data transferred to business operators in Japan by public authorities for public interest, in particular criminal law enforcement and national security purposes ("government access"). In this respect, the Japanese government has provided the Commission with official representations, assurances and commitments signed at the highest ministerial and agency level that are contained in Annex II to this Decision.
(173)
Finally, on the basis of the available information about the Japanese legal order, including the representations, assurances and commitments from the Japanese government contained in Annex II, the Commission considers that any interference with the fundamental rights of the individuals whose personal data are transferred from the European Union to Japan by Japanese public authorities for public interest purposes, in particular criminal law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.
(178)
Moreover, in order to allow the Commission to effectively carry out its monitoring function, the Member States should inform the Commission about any relevant action undertaken by the national data protection authorities ("DPAs"), in particular regarding queries or complaints by EU data subjects concerning the transfer of personal data from the European Union to business operators in Japan. The Commission should also be informed about any indications that the actions of Japanese public authorities responsible for the prevention, investigation, detection or prosecution of criminal offences, or for national security, including any oversight bodies, do not ensure the required level of protection.
(181)
To this end, this Decision should be subject to a first review within two years after its entry into force. Following that first review, and depending on its outcome, the Commission will decide in close consultation with the Committee established under Article 93(1) of the GDPR whether the two-year-cycle should be maintained. In any case, the subsequent reviews should take place at least every four years (151). The review should cover all aspects of the functioning of this Decision, and in particular the application of the Supplementary Rules (with special attention paid to protections afforded in case of onward transfers), the application of the rules on consent, including in case of withdrawal, the effectiveness of the exercise of individual rights, as well as the limitations and safeguards with respect to government access, including the redress mechanism as set out in Annex II to this Decision. It should also cover the effectiveness of oversight and enforcement, as regards the rules applicable to both PIHBOs and in the area of criminal law enforcement and national security.
(184)
Where, on the basis of the regular and ad hoc checks or any other information available, the Commission concludes that the level of protection afforded by the Japanese legal order can no longer be regarded as essentially equivalent to that in the European Union, it should inform the competent Japanese authorities thereof and request that appropriate measures be taken within a specified, reasonable timeframe. This includes the rules applicable to both business operators and Japanese public authorities responsible for criminal law enforcement or national security. For example, such a procedure would be triggered in cases where onward transfers, including on the basis of decisions adopted by the PPC under Article 24 of the APPI recognising a third country as providing an equivalent level of protection to the one guaranteed in Japan, will no longer be carried out under safeguards ensuring the continuity of protection within the meaning of Article 44 of the GDPR.