(1)
Regulation (EU) 2016/679 sets out the rules for the transfer of personal data from controllers or processors in the European Union to third countries and international organisations to the extent that such transfers fall within its scope. The rules on international transfers of personal data are laid down in Chapter V of that Regulation, more specifically in Articles 44 to 50. The flow of personal data to and from countries outside the European Union is necessary for the expansion of international cooperation and international trade, while guaranteeing that the level of protection afforded to personal data in the European Union is not undermined.
(3)
As specified in Article 45(2) of Regulation (EU) 2016/679, the adoption of an adequacy decision has to be based on a comprehensive analysis of the third country's legal order, with respect to both the rules applicable to the data importers and the limitations and safeguards as regards access to personal data by public authorities. The assessment has to determine whether the third country in question guarantees a level of protection "essentially equivalent" to that ensured within the European Union (recital 104 of Regulation (EU) 2016/679). As clarified by the Court of Justice of the European Union, this does not require an identical level of protection (2). In particular, the means to which the third country in question has recourse may differ from the ones employed in the European Union, as long as they prove, in practice, effective for ensuring an adequate level of protection (3). The adequacy standard therefore does not require a point-to-point replication of Union rules. Rather, the test lies in whether, through the substance of privacy rights and their effective implementation, supervision and enforcement, the foreign system as a whole delivers the required level of protection (4).
(4)
The Commission has carefully analysed Japanese law and practice. Based on the findings developed in recitals 6 to 175, the Commission concludes that Japan ensures an adequate level of protection for personal data transferred to organisations falling within the scope of application of the Act on the Protection of Personal Information (5) and subject to the additional conditions referred to in this Decision. These conditions are laid down in the Supplementary Rules (Annex I) adopted by the Personal Information Protection Commission (PPC) (6) and the official representations, assurances and commitments by the Japanese government to the European Commission (Annex II).
(5)
This Decision has the effect that transfers from a controller or processor in the European Economic Area (EEA) (7) to such organisations in Japan may take place without the need to obtain any further authorisation. This Decision does not affect the direct application of Regulation (EU) 2016/679 to such organisations when the conditions of its Article 3 are fulfilled.
(11)
The APPI has been reformed in recent years. The amended APPI was promulgated on 9 September 2015 and came into force on 30 May 2017. The amendment introduced a number of new safeguards, and also strengthened existing safeguards, thus bringing the Japanese data protection system closer to the European one. This includes, for instance, a set of enforceable individual rights or the establishment of an independent supervisory authority (PPC) entrusted with the oversight and enforcement of the APPI.
(11)
The APPI has been reformed in recent years. The amended APPI was promulgated on 9 September 2015 and came into force on 30 May 2017. The amendment introduced a number of new safeguards, and also strengthened existing safeguards, thus bringing the Japanese data protection system closer to the European one. This includes, for instance, a set of enforceable individual rights or the establishment of an independent supervisory authority (PPC) entrusted with the oversight and enforcement of the APPI.
(15)
On the basis of Article 6 of the APPI and that Cabinet Decision, the PPC on 15 June 2018 adopted "Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU based on an Adequacy Decision" (the "Supplementary Rules") with a view to enhance the protection of personal information transferred from the European Union to Japan based on the present adequacy decision. Those Supplementary Rules are legally binding on Japanese business operators and enforceable, both by the PPC and by courts, in the same way as the provisions of the APPI that the Rules supplement with stricter and/or more detailed rules (12). As Japanese business operators receiving and/or further processing personal data from the European Union will be under a legal obligation to comply with the Supplementary Rules, they will need to ensure (e.g. by technical ("tagging") or organisational means (storing in a dedicated database)) that they can identify such personal data throughout their "life cycle" (13). In the following sections, the content of each Supplementary Rule is analysed as part of the assessment of the articles of the APPI it complements.
(22)
By contrast, this distinction will not be relevant for personal data imported from the European Union to Japan on the basis of an adequacy decision. As such data will typically be transferred by electronic means (given that in the digital era this is the usual way of exchanging data, especially over a large distance as between the EU and Japan), and hence become part of the data importer's electronic filing system, such EU data will fall into the category of "personal data" under the APPI. In the exceptional case that personal data would be transferred from the EU by other means (e.g. in paper form), it will still be covered by the APPI if following the transfer it becomes part of a "collective body of information" systematically organised so as to allow easy search for specific information (Article 2(4)(ii) APPI). According to Article 3(2) of the Cabinet Order, this will be the case where the information is arranged "according to a certain rule" and the database includes tools such as for instance a table of contents or index to facilitate the search. This corresponds to the definition of a "filing system" within the meaning of Article 2(1) of the GDPR.
(26)
In order to address this situation, Supplementary Rule (2) requires that personal data transferred from the European Union "be handled as retained personal data within the meaning of Article 2, paragraph 7 of the Act, irrespective of the period within which it is set to be deleted". Hence, the retention period will have no bearing on the rights afforded to EU data subjects.
(30)
Given that "anonymously processed personal information", as defined by the APPI, includes data for which re-identification of the individual is still possible, this could mean that personal data transferred from the European Union might lose part of the available protections through a process that, under Regulation (EU) 2016/679, would be considered a form of "pseudonymisation" rather than "anonymisation" (thus not changing its nature as personal data).
(31)
To address that situation, the Supplementary Rules provide for additional requirements applicable only to personal data transferred from the European Union under this Decision. According to Rule (5) of the Supplementary Rules, such personal information shall only be considered "anonymously processed personal information" within the meaning of the APPI "if the personal information handling business operator takes measures that make the de-identification of the individual irreversible for anyone, including by deleting processing method etc. related information". The latter has been specified in the Supplementary Rules as information relating to descriptions and individual identification codes which were deleted from personal information used to produce "anonymously processed personal information", as well as information relating to a processing method applied while deleting these descriptions and individual identification codes. In other terms, the Supplementary Rules require the business operator producing "anonymously processed personal information" to destroy the "key" permitting re-identification of the data. This means that personal data originating from the European Union will fall under the APPI provisions regarding "anonymously processed personal information" only in cases where they would likewise be considered anonymous information under Regulation (EU) 2016/679 (22).
(38)
In order to ensure an adequate level of protection of personal data transferred from the European Union to business operators in Japan, only processing of personal information falling within the scope of Chapter IV of the APPI – i.e. by a PIHBO to the extent the processing situation does not correspond to one of the sectoral exclusions – should be covered by this Decision. Its scope should therefore be aligned to that of the APPI. According to the information received from the PPC, where a PIHBO covered by this Decision subsequently modifies the utilisation purpose (to the extent this is permissible) and would then be covered by one of the sectoral exclusions in Article 76 of the APPI, this would be considered as an international transfer (given that, in such cases, the processing of the personal information would no longer be covered by Chapter IV of the APPI and thus fall outside its scope of application). The same would apply in case a PIHBO provides personal information to an entity covered by Article 76 of the APPI for use for one of the processing purposes indicated in that provision. As regards personal data transferred from the European Union, this would therefore constitute an onward transfer subject to the relevant safeguards (notably those specified in Article 24 of the APPI and Supplementary Rule (4)). Where the PIHBO relies on the data subject's consent (25), it would have to provide him/her with all the necessary information, including that the personal information would no longer be protected by the APPI.
(43)
When it comes to personal information acquired from another business operator, the PIHBO is, in principle, free to set a new utilisation purpose (28). In order to ensure that, in case of a transfer from the European Union, such a recipient is bound by the purpose for which the data was transferred, Supplementary Rule (3) requires that, in cases "where a [PIHBO] receives personal data from the EU based on an adequacy decision" or such an operator "receives from another [PIHBO] personal data previously transferred from the EU based on an adequacy decision" (onward sharing), the recipient has to "specify the purpose of utilising the said personal data within the scope of the utilisation purpose for which the data was originally or subsequently received". In other words, the rule ensures that in a transfer context the purpose specified pursuant to Regulation (EU) 2016/679 continues to determine the processing, and that a change of that purpose at any stage of the processing chain in Japan would require the consent of the EU data subject. While obtaining this consent requires the PIHBO to contact the data subject, where this is not possible the consequence is simply that the original purpose has to be maintained.
(48)
As regards transfers from the European Union, personal data will necessarily have been first collected and processed in the EU in compliance with Regulation (EU) 2016/679. This will always involve, on the one hand, collection and processing, including for the transfer from the European Union to Japan, on the basis of one of the legal grounds listed in Article 6(1) of the Regulation and, on the other hand, collection for a specific, explicit and legitimate purpose as well as the prohibition of further processing, including by way of a transfer, in a manner that is incompatible with such purpose as laid down in Articles 5(1)(b) and 6(4) of the Regulation.
(63)
As under the Supplementary Rules personal data transferred from the European Union will be considered "retained personal data" irrespective of their retention period (unless covered by exemptions), they will always be subject to the transparency requirements under both of the aforementioned provisions.
(68)
While the concept of "sensitive" data is inherently a social construct in that it is grounded in cultural and legal traditions, moral considerations, policy choices etc. of a given society, given the importance of ensuring adequate safeguards to sensitive data when transferred to business operators in Japan the Commission has obtained that the special protections afforded to "special care-required personal information" under Japanese law are extended to all categories recognised as "sensitive data" in Regulation (EU) 2016/679. To this end, Supplementary Rule (1) provides that data transferred from the European Union concerning an individual's sex life, sexual orientation or trade-union membership shall be processed by PIHBOs "in the same manner as special care-required personal information within the meaning of Article 2, paragraph 3 of the [APPI]".
(71)
As mentioned in footnote 34 (recital 49), PIHBOs are required, under Article 26(1) of the APPI, to verify the identity of a third party providing personal data to them and the "circumstances" under which such data was acquired by the third party (in case of personal data covered by this Decision, according to the APPI and Supplementary Rule (3) those circumstances shall include the fact that the data originates from the European Union as well as the purpose of the original data transfer). Among others, that measure aims at ensuring the lawfulness of data processing throughout the chain of PIHBOs handling the personal data. Furthermore, under Article 26(3) of the APPI, PIHBOs are required to keep a record of the date of receipt and the (mandatory) information received from the third party pursuant to paragraph 1, as well as the name of the individual concerned (data subject), the categories of data processed and, to the extent relevant, the fact that the data subject has given consent for sharing his/her personal data. As specified in Article 18 of the PPC Rules, those records must be preserved for a period of at least one to three years, depending on the circumstances. In the exercise of its tasks, the PPC can require the submission of such records (39).
(75)
The level of protection afforded to personal data transferred from the European Union to business operators in Japan must not be undermined by the further transfer of such data to recipients in a third country outside Japan. Such "onward transfers", which from the perspective of the Japanese business operator constitute international transfers from Japan, should be permitted only where the further recipient outside Japan is itself subject to rules ensuring a similar level of protection as guaranteed within the Japanese legal order.
(76)
A first protection is enshrined in Article 24 of the APPI which generally prohibits the transfer of personal data to a third party outside the territory of Japan without the prior consent of the individual concerned. Supplementary Rule (4) ensures that in the case of data transfers from the European Union such consent will be particularly well informed as it requires that the individual concerned shall be "provided information on the circumstances surrounding the transfer necessary for the principal to make a decision on his/her consent". On that basis, the data subject shall be informed of the fact that the data will be transferred abroad (outside the scope of application of the APPI) and of the specific country of destination. This will allow him/her to assess the risk for privacy involved with the transfer. Also, as can be inferred from Article 23 of the APPI (see recital 47), the information provided to the principal should cover the compulsory items under its paragraph 2, namely the categories of personal data provided to a third party and the method of disclosure.
(78)
To ensure continuity of protection in case of personal data transferred from the European Union to Japan under this Decision, Supplementary Rule (4) enhances the level of protection for onward transfers of such data by the PIHBO to a third country recipient. It does so by limiting and framing the bases for international transfers that can be used by the PIHBO as an alternative to consent. More specifically, and without prejudice to the derogations set forth in Article 23(1) of the APPI, personal data transferred under this Decision may be subject to (onward) transfers without consent only in two cases: (i) where the data is sent to a third country which has been recognised by the PPC under Article 24 of the APPI as providing an equivalent level of protection to the one guaranteed in Japan (47); or (ii) where the PIHBO and the third party recipient have together implemented measures providing a level of protection equivalent to the APPI, read together with the Supplementary Rules, by means of a contract, other forms of binding agreements or binding arrangements within a corporate group. The second category corresponds to the instruments used under Regulation (EU) 2016/679 to ensure appropriate safeguards (in particular, contractual clauses and binding corporate rules). In addition, as confirmed by the PPC, even in those cases, the transfer remains subject to the general rules applicable to any provision of personal data to a third party under the APPI (i.e. the requirement to obtain consent under Article 23(1) or, alternatively, the information requirement with a possibility to opt out under Article 23(2) of the APPI). In case the data subject cannot be reached with a request for consent or in order to provide the required advance information under Article 23(2) of the APPI, the transfer may not take place.
(89)
Differently from EU law, the APPI and relevant sub-statutory rules do not contain legal provisions specifically addressing the possibility to oppose processing for direct marketing purposes. However, such processing will, under this Decision, take place in the context of a transfer of personal data that was previously collected in the European Union. Under Article 21(2) of Regulation (EU) 2016/679, the data subject shall always have the possibility to oppose a transfer of data for the purpose of processing for direct marketing. Moreover, as explained in recital 43, under Supplementary Rule (3), a PIHBO is required to process the data received under the Decision for the same purpose for which the data have been transferred from the European Union, unless the data subject consents to change the utilisation purpose.Hence, if the transfer has been made for any purpose other than direct marketing, a PIHBO in Japan will be barred from processing the data for the purpose of direct marketing without consent of the EU data subject.
(94)
In any event, as regards personal data that has been collected in the European Union, any decision based on automated processing will typically be taken by the data controller in the Union (which has a direct relationship with the concerned data subject) and is thus subject to Regulation (EU) 2016/679 (56). This includes transfer scenarios where the processing is carried out by a foreign (e.g. Japanese) business operator acting as an agent (processor) on behalf of the EU controller (or as a sub-processor acting on behalf of the EU processor having received the data from an EU controller that collected it) which on this basis then takes the decision. Therefore, the absence of specific rules on automated decision making in the APPI is unlikely to affect the level of protection of the personal data transferred under this Decision.
(101)
The Supplementary Rules further clarify and strengthen the PPC's enforcement powers. More specially, in cases involving data imported from the European Union, the PPC will always consider a PIHBO's failure to take action in line with a recommendation issued by the APPI pursuant to Article 42(1), without legitimate ground, as a serious infringement of an imminent nature of an individual's rights and interests within the meaning of Article 42(2), and therefore as an infringement warranting the issuance of a binding order. Moreover, as a "legitimate ground" for not complying with a recommendation the PPC will only accept an "event of an extraordinary nature [preventing compliance] outside the control of the [PIHBO] which cannot be reasonably foreseen (for example, natural disasters)" or cases where the necessity to take action concerning a recommendation "has disappeared because the [PIHBO] has taken alternative action that fully remedies the violation".
(142)
Under the mechanism, an individual who suspects that his/her data transferred from the European Union has been collected or used by public authorities in Japan (including those responsible for criminal law enforcement) in violation of the applicable rules can submit a complaint to the PPC (individually or though his/her data protection authority within the meaning of Article 51 of the GDPR). The PPC will be under an obligation to handle the complaint and in a first step inform the competent public authorities, including the relevant oversight bodies, thereof. Those authorities are required to cooperate with the PPC, "including by providing the necessary information and relevant material, so that the PPC can evaluate whether the collection or the subsequent use of personal information has taken place in compliance with the applicable rules" (117). This obligation, derived from Article 80 of the APPI (requiring Japanese public authorities to co-operate with PPC), applies in general and hence extends to the review of any investigatory measures taken by such authorities, which moreover have committed to such cooperation through written assurances from the competent ministries and agency heads, as reflected in Annex II.
(171)
The Commission considers that the APPI as complemented by the Supplementary Rules contained in Annex I, together with the official representations, assurances and commitments contained in Annex II, ensure a level of protection for personal data transferred from the European Union that is essentially equivalent to the one guaranteed by Regulation (EU) 2016/679.
(173)
Finally, on the basis of the available information about the Japanese legal order, including the representations, assurances and commitments from the Japanese government contained in Annex II, the Commission considers that any interference with the fundamental rights of the individuals whose personal data are transferred from the European Union to Japan by Japanese public authorities for public interest purposes, in particular criminal law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.
(174)
Therefore, in the light of the findings of this Decision, the Commission considers that Japan ensures an adequate level of protection for personal data transferred from the European Union to PIHBOs in Japan that are subject to the APPI, except in those cases where the recipient falls within one of the categories listed in Article 76(1) APPI and all or part of the purposes of processing correspond(s) to one of the purposes prescribed in that provision.
(175)
On this basis, the Commission concludes that the adequacy standard of Article 45 of Regulation (EU) 2016/679, interpreted in light of the Charter of Fundamental Rights of the European Union, in particular in the Schrems judgment (146), is met.
(178)
Moreover, in order to allow the Commission to effectively carry out its monitoring function, the Member States should inform the Commission about any relevant action undertaken by the national data protection authorities ("DPAs"), in particular regarding queries or complaints by EU data subjects concerning the transfer of personal data from the European Union to business operators in Japan. The Commission should also be informed about any indications that the actions of Japanese public authorities responsible for the prevention, investigation, detection or prosecution of criminal offences, or for national security, including any oversight bodies, do not ensure the required level of protection.
(182)
To perform the review, the Commission should meet with the PPC, accompanied, where appropriate, by other Japanese authorities responsible for government access, including relevant oversight bodies. The participation in this meeting should be open to representatives of the members of the European Data Protection Board (EDPB). In the framework of the Joint Review, the Commission should request the PPC to provide comprehensive information on all aspects relevant for the adequacy finding, including on the limitations and safeguards concerning government access (152). The Commission should also seek explanations on any information relevant for this Decision that it has received, including public reports by Japanese authorities or other stakeholders in Japan, the EDPB, individual DPAs, civil society groups, media reports, or any other available source of information.
(183)
On the basis of the Joint Review, the Commission should prepare a public report to be submitted to the European Parliament and the Council.
(184)
Where, on the basis of the regular and ad hoc checks or any other information available, the Commission concludes that the level of protection afforded by the Japanese legal order can no longer be regarded as essentially equivalent to that in the European Union, it should inform the competent Japanese authorities thereof and request that appropriate measures be taken within a specified, reasonable timeframe. This includes the rules applicable to both business operators and Japanese public authorities responsible for criminal law enforcement or national security. For example, such a procedure would be triggered in cases where onward transfers, including on the basis of decisions adopted by the PPC under Article 24 of the APPI recognising a third country as providing an equivalent level of protection to the one guaranteed in Japan, will no longer be carried out under safeguards ensuring the continuity of protection within the meaning of Article 44 of the GDPR.
(187)
The Commission should also consider initiating the procedure leading to the amendment, suspension or repeal of this Decision if, in the context of the Joint Review or otherwise, the competent Japanese authorities fail to provide the information or clarifications necessary for the assessment of the level of protection afforded to personal data transferred from the European Union to Japan or compliance with this Decision. In this respect, the Commission should take into account the extent to which the relevant information can be obtained from other sources.
(188)
On duly justified grounds of urgency, such as a risk of serious infringment of data subjects’ rights, the Commission should consider adopting a decision to suspend or repeal this Decision that should apply immediately, pursuant to Article 93(3) of Regulation (EU) 2016/679 in conjunction with Article 8 of Regulation (EU) No 182/2011 of the European Parliament and of the Council (153).
(189)
The European Data Protection Board published its opinion (154), which has been taken into consideration in the preparation of this Decision.
(190)
The European Parliament has adopted a resolution on a digital trade strategy that calls on the Commission to prioritise and speed up the adoption of adequacy decisions with important trading partners under the conditions laid down in Regulation (EU) 2016/679, as an important mechanism to safeguard the transfer of personal data from the European Union (155). The European Parliament has also adopted a resolution on the adequacy of the protection of personal data afforded by Japan (156).