2.2.1 - Definition of personal information2.2.2 - Definition of personal data2.2.3 - Definition of retained personal data2.2.4 - Definition of anonymously processed personal information2.2.5 - Definition of Personal Information Handling Business Operator (PIHBO)2.2.6 - Concepts of controller and processor2.2.7 - Sectoral exclusions
2.3.1 - Purpose limitation2.3.2. - Lawfulness and fairness of processing2.3.3. - Data accuracy and minimisation2.3.4. - Storage limitation2.3.5. - Data security2.3.6. - Transparency2.3.7. - Special categories of data2.3.8. - Accountability2.3.9. - Restrictions on onward transfers2.3.10. - Individual rights
3.1 - General legal framework3.2 - Access and use by Japanese public authorities for criminal law enforcement purposes3.2.1 - Legal basis and applicable limitations/safeguards3.2.1.1 - Compulsory investigation based on a court warrant3.2.1.2 - Request for voluntary disclosure based on an "enquiry sheet"3.2.1.3 - Further use of the information collected3.2.2 - Independent oversight3.2.3 - Individual redress3.3 - Access and use by Japanese public authorities for national security purposes3.3.1 - Legal basis and applicable limitations/safeguards
3.3.2 - Independent oversight
3.3.3 - Individual redress
(57)
Personal data should be processed in a manner that ensures their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. To that end, business operators should take appropriate technical or organisational measures to protect personal data from possible threats. These measures should be assessed taking into consideration the state of the art and related costs.
(58)
This principle is implemented in Japanese law by Article 20 of the APPI, providing that a PIHBO "shall take necessary and appropriate action for the security control of personal data including preventing the leakage, loss or damage of its handled personal data." The PPC Guidelines explain the measures to be taken, including the methods for the establishment of basic policies, data handling rules and various "control actions" (regarding organisational safety as well as human, physical and technological security) (35). In addition, the PPC Guidelines and a dedicated Notice (Appendix 8 on "Contents of the safety management measures that have to be taken") published by the PPC provide more details on measures concerning security incidents involving, for example, the leakage of personal information, as part of the security management measures to be taken by PIHBOs (36).
(66)
"Special care-required personal information" is defined in Article 2(3) of the APPI. That provision refers to "personal information comprising a principal's race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc. prescribed by Cabinet Order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the principal". These categories correspond for a large part to the list of sensitive data under Articles 9 and 10 of Regulation (EU) 2016/679. In particular, "medical history" corresponds to health data, while "criminal record and the fact of having suffered damage by a crime" are substantially the same as the categories referred to in Article 10 of Regulation (EU) 2016/679. The categories referred to in Article 2(3) of the APPI are subject to further interpretation in the Cabinet Order and PPC Guidelines. According to section 2.3 point (8) of the PPC Guidelines, the sub-categories of "medical history" detailed in Article 2(ii) and (iii) of the Cabinet Order are interpreted as covering genetic and biometric data. Also, while the list does not expressly include the terms "ethnic origin" and "political opinion", it does include references to "race" and "creed". As explained in section 2.3 points (1) and (2) of the PPC Guidelines, reference to "race" covers "ethnic ties or ties to a certain part of the world", while "creed" is understood as including both religious and political views.
(73)
Finally, the APPI creates a framework for the participation of sectoral industry organisations in ensuring a high level of compliance (see Chapter IV, Section 4). The role of such accredited personal information protection organisations (40) is to promote the protection of personal information by supporting businesses through their expertise, but also to contribute to the implementation of safeguards, notably by handling individual complaints and helping to solve related conflicts. To that end, they may request participating PIHBOs, if appropriate, to adopt necessary measures (41). Moreover, in case of data breaches or other security incidents PHIBOs shall in principle inform the PPC as well as the data subject (or the public) and take necessary action, including measures to minimise any damage and to prevent any recurrence of similar incidents (42). While those are voluntary schemes, on 10 August 2017 the PPC had listed 44 organisations, with the largest one, Japan Information Processing and Development Center (JIPDEC), alone counting 15 436 participating business operators (43). Accredited schemes include sector associations such as for instance the Japan Securities Dealers Association, the Japan Association of Car Driving Schools or the Association of Marriage Brokers (44).
(103)
In order to ensure adequate protection and in particular the enforcement of individual rights, the data subject should be provided with effective administrative and judicial redress, including compensation for damages.
(107)
As regards the available remedies, Article 709 of the Japanese Civil Code refers to monetary compensation. However, Japanese case law has interpreted this article as also conferring the right to obtain an injunction (65). Therefore, if a data subject brings an action under Article 709 of the Civil Code and claims that his/her rights or interests have been harmed by an infringement of an APPI provision by the defendant, that claim may include, besides compensation for damage, a request for injunctive relief, notably aiming at stopping any unlawful processing.
(112)
Finally, an individual may also file an action for State compensation against the PPC under Article 1(1) of the State Redress Act in case (s)he has suffered damages due to the fact that an order issued by the PPC to a business operator was unlawful or the PPC has not exercised its authority.
(117)
The Constitution also guarantees the right of access to the courts (Article 32) and the right to sue the State for redress in the case where an individual has suffered damage through the illegal act of a public official (Article 17).
(118)
As regards specifically the right to data protection, Chapter III, Sections 1, 2 and 3 of the APPI lays down general principles covering all sectors, including the public sector. In particular, Article 3 of the APPI provides that all personal information must be handled in accordance with the principle of respect for the personality of individuals. Once personal information, including as part of electronic records, has been collected ("obtained") by public authorities (78), its handling is governed by the Act on the Protection of Personal Information held by Administrative Organs ("APPIHAO") (79). This includes in principle (80) also the processing of personal information for criminal law enforcement or national security purposes. Among others, the APPIHAO provides that public authorities: (i) may only retain personal information to the extent this is necessary for carrying out their duties; (ii) shall not use such information for an "unjust" purpose or disclose it to a third person without justification; (iii) shall specify the purpose and not change that purpose beyond what can reasonably be considered as relevant for the original purpose (purpose limitation); (iv) shall in principle not use or provide a third person with the retained personal information for other purposes and, if they consider this necessary, impose restrictions on the purpose or method of use by third parties; (v) shall endeavour to ensure the correctness of the information (data quality); (vi) shall take the necessary measures for the proper management of the information and to prevent leakage, loss or damage (data security); and (vii) shall endeavour to properly and expeditiously process any complaints regarding the processing of the information (81).
(147)
Finally, under Article 1(1) of the State Redress Act a court may grant compensation where a public officer who exercises the public authority of the State has, in the course of his/her duties, unlawfully and with fault (intentionally or negligently) inflicted damage on the individual concerned. According to Article 4 of the State Redress Act, the State's liability for damages is based on the provisions of the Civil Code. In this respect, Article 710 of the Civil Code stipulates that liability also covers damages other than those to property, and hence moral damage (for instance in the form of "mental distress"). This includes cases where the privacy of an individual has been invaded by unlawful surveillance and/or the collection of his/her personal information (e.g. the illegal execution of a warrant) (121).
(150)
This includes making use of the procedural rights under the Code of Criminal Procedure. For instance, "[w]here the evaluation reveals that an individual is a suspect in a criminal case, the PPC will inform the individual about that fact" (123) as well as the possibility pursuant to Article 259 of the CCP to ask the prosecution to be notified once the latter has decided not to initiate criminal proceedings. Also, if the evaluation reveals that a case involving the personal information of the individual has been opened and that the case is concluded, the PPC will inform the individual that the case record can be inspected pursuant to Article 53 of the CCP (and Article 4 of the Act on Final Criminal Case Records). Gaining access to his/her case record is important as it will help the individual to better understand the investigation carried out against him/her and thus to prepare an eventual court action (e.g. a damages claim) in case (s)he considers his/her data was unlawfully collected or used.
(170)
In addition, individuals may seek judicial redress in the form of a damage action under the State Redress Act, which also covers moral harm and under certain conditions the deletion of the collected data (see recital 147).