2.2.1 - Definition of personal information2.2.2 - Definition of personal data2.2.3 - Definition of retained personal data2.2.4 - Definition of anonymously processed personal information2.2.5 - Definition of Personal Information Handling Business Operator (PIHBO)2.2.6 - Concepts of controller and processor2.2.7 - Sectoral exclusions
2.3.1 - Purpose limitation2.3.2. - Lawfulness and fairness of processing2.3.3. - Data accuracy and minimisation2.3.4. - Storage limitation2.3.5. - Data security2.3.6. - Transparency2.3.7. - Special categories of data2.3.8. - Accountability2.3.9. - Restrictions on onward transfers2.3.10. - Individual rights
3.1 - General legal framework3.2 - Access and use by Japanese public authorities for criminal law enforcement purposes3.2.1 - Legal basis and applicable limitations/safeguards3.2.1.1 - Compulsory investigation based on a court warrant3.2.1.2 - Request for voluntary disclosure based on an "enquiry sheet"3.2.1.3 - Further use of the information collected3.2.2 - Independent oversight3.2.3 - Individual redress3.3 - Access and use by Japanese public authorities for national security purposes3.3.1 - Legal basis and applicable limitations/safeguards
3.3.2 - Independent oversight
3.3.3 - Individual redress
(10)
The two latter acts (amended in 2016) contain provisions applicable to the protection of personal information by public sector entities. Data processing falling within the scope of application of those acts is not the object of the adequacy finding contained in this Decision, which is limited to the protection of personal information by "Personal Information Handling Business Operators" (PIHBOs) within the meaning of the APPI.
(15)
On the basis of Article 6 of the APPI and that Cabinet Decision, the PPC on 15 June 2018 adopted "Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU based on an Adequacy Decision" (the "Supplementary Rules") with a view to enhance the protection of personal information transferred from the European Union to Japan based on the present adequacy decision. Those Supplementary Rules are legally binding on Japanese business operators and enforceable, both by the PPC and by courts, in the same way as the provisions of the APPI that the Rules supplement with stricter and/or more detailed rules (12). As Japanese business operators receiving and/or further processing personal data from the European Union will be under a legal obligation to comply with the Supplementary Rules, they will need to ensure (e.g. by technical ("tagging") or organisational means (storing in a dedicated database)) that they can identify such personal data throughout their "life cycle" (13). In the following sections, the content of each Supplementary Rule is analysed as part of the assessment of the articles of the APPI it complements.
(16)
Unlike before the 2015 amendment when this fell into the competence of various Japanese Ministries in specific sectors, the APPI empowers the PPC to adopt "Guidelines" "to ensure the proper and effective implementation of action to be taken by a business operator" under the data protection rules. Through its Guidelines, PPC provides an authoritative interpretation of those rules, in particular the APPI. According to the information received from the PPC, those Guidelines form an integral part of the legal framework, to be read together with the text of the APPI, the Cabinet Order, the PPC Rules and a set of Q&A (14) prepared by PPC. They are therefore "binding on business operators". Where the Guidelines state that a business operator "must" or "should not" act in a specified way, the PPC will consider that non-compliance with the relevant provisions amounts to a violation of the law (15).
(18)
First of all, as regards its material scope, the APPI distinguishes personal information from personal data, with only certain of the provisions of the Act being applicable to the former category. According to Article 2(1) of the APPI, the concept of "personal information" includes any information relating to a living individual which enables the identification of that individual. The definition distinguishes two categories of personal information: (i) individual identification codes; and (ii) other personal information whereby a specific individual can be identified. The latter category also includes information which by itself does not enable identification but, when "readily collated" with other information, allows the identification of a specific individual. According to the PPC Guidelines (16), whether information can be considered as "readily collated" shall be judged on a case by case basis, taking into consideration the actual situation ("condition") of the business operator. This will be assumed if such collation is (or can be) performed by an average ("normal") business operator using the means available to that operator. For instance, information is not "readily collated" with other information if a business operator needs to make unusual efforts or commit illegal acts to obtain the information to be collated from one or more other business operators.
(20)
This exception is further specified in Article 3(1) of the Cabinet Order, according to which the three following cumulative conditions must be fulfilled: (i) the collective body of information must have been "issued for the purpose of being sold to a large number of unspecified persons and the issuance of which has not been conducted in violation of the provisions of a law or order based thereon"; (ii) must be capable of being "purchased at any time by a large number of unspecified persons" and (iii) the personal data contained therein must be "provided for their original purpose without adding other information relating to a living individual". According to the explanations received from the PPC, this narrow exception was introduced with the aim of excluding telephone books or similar types of directories.
(21)
For data collected in Japan, this distinction between "personal information" and "personal data" is relevant because such information may not always be part of a "personal information database" (for example, a single data set collected and processed manually) and therefore those provisions of the APPI that only relate to personal data will not apply (19).
(23)
Certain provisions of the APPI, notably Articles 27 to 30 relating to individual rights, apply only to a specific category of personal data, namely "retained personal data". Those are defined under Article 2(7) of the APPI as personal data other than those which are either (i) "prescribed by cabinet order as likely to harm the public or other interests if their presence or absence is made known"; or (ii) "set to be deleted within a period of no longer than one year that is prescribed by cabinet order".
(27)
Requirements applicable to anonymously processed personal information, as defined in Article 2(9) of the APPI, are stipulated in Section 2 of Chapter 4 of the Act ("Duties of an Anonymously Processed Information Handling Business Operator"). Conversely, such information is not governed by the provisions of Section 1 of Chapter IV of the APPI which includes the articles stipulating the data protection safeguards and rights applying to the processing of personal data under that Act. Consequently, while "anonymously processed personal information" is not subject to the "standard" data protection rules (those specified in Section 1 of Chapter IV and in Article 42 of the APPI), they do fall within the scope of application of the APPI, notably Articles 36 to 39.
(29)
It results from those provisions, as also confirmed by the PPC, that the process of rendering personal information "anonymous" does not need to be technically irreversible. Pursuant to Article 36(2) of the APPI, business operators handling "anonymously processed personal information" are merely required to prevent re-identification by taking measures to ensure the security of "the descriptions etc. and individual identification codes deleted from personal information used to produce the anonymously processed information, and information relating to a processing method carried out".
(31)
To address that situation, the Supplementary Rules provide for additional requirements applicable only to personal data transferred from the European Union under this Decision. According to Rule (5) of the Supplementary Rules, such personal information shall only be considered "anonymously processed personal information" within the meaning of the APPI "if the personal information handling business operator takes measures that make the de-identification of the individual irreversible for anyone, including by deleting processing method etc. related information". The latter has been specified in the Supplementary Rules as information relating to descriptions and individual identification codes which were deleted from personal information used to produce "anonymously processed personal information", as well as information relating to a processing method applied while deleting these descriptions and individual identification codes. In other terms, the Supplementary Rules require the business operator producing "anonymously processed personal information" to destroy the "key" permitting re-identification of the data. This means that personal data originating from the European Union will fall under the APPI provisions regarding "anonymously processed personal information" only in cases where they would likewise be considered anonymous information under Regulation (EU) 2016/679 (22).
(35)
Under the APPI, no specific distinction is drawn between the obligations imposed on controllers and processors. The absence of this distinction does not affect the level of protection because all PIHBOs are subject to all provisions of the Act. A PIHBO that entrusts the handling of personal data to a trustee (the equivalent of a processor under the GDPR) remains subject to the obligations under the APPI and Supplementary Rules with regard to the data it has entrusted. Additionally, under Article 22 of the APPI, it is bound to "exercise necessary and appropriate supervision" over the trustee. In turn, as the PPC has confirmed, the trustee is itself bound by all the obligations in the APPI and the Supplementary Rules.
(36)
Article 76 of the APPI excludes certain types of data processing from the application of Chapter IV of the Act, which contains the central data protection provisions (basic principles, obligations of business operators, individual rights, supervision by the PPC). Processing covered by the sectoral exclusion in Article 76 is also exempted from the enforcement powers of the PPC, pursuant to Article 43(2) of the APPI (24).
(37)
The relevant categories for the sectoral exclusion in Article 76 of the APPI are defined by using a double criterion based on the type of PIHBO processing the personal information and the purpose of processing. More specifically, the exclusion applies to: (i) broadcasting institutions, newspaper publishers, communication agencies or other press organisations (including any individuals carrying out press activities as their business) to the extent they process personal information for press purposes; (ii) persons engaged in professional writing, to the extent this involves personal information; (iii) universities and any other organisations or groups aimed at academic studies, or any person belonging to such an organisation, to the extent they process personal information for the purpose of academic studies; (iv) religious bodies to the extent they process personal information for purposes of religious activity (including all related activities); and (v) political bodies to the extent they process personal information for the purposes of their political activity (including all related activities). Processing of personal information for one of the purposes listed in Article 76 by other types of PIHBOs as well as processing of personal information by one of the listed PIHBOs for other purposes, for instance in the employment context, remain covered by the provisions of Chapter IV.
(51)
Hence, given that under Regulation (EU) 2016/679 a transfer requires a valid legal basis and specific purpose, which are reflected in the utilization purpose "confirmed" under the APPI, the combination of the relevant provisions of the APPI and of Supplementary Rule (3) ensures the continued lawfulness of the processing of EU data in Japan.
(63)
As under the Supplementary Rules personal data transferred from the European Union will be considered "retained personal data" irrespective of their retention period (unless covered by exemptions), they will always be subject to the transparency requirements under both of the aforementioned provisions.
(80)
Finally, a further safeguard in case of (onward) transfers follows from Articles 20 and 22 of the APPI. According to these provisions, where a third country operator (data importer) acts on behalf of the PIHBO (data exporter), that is as a (sub-) processor, the latter has to ensure supervision over the former as regards security of data processing.
(87)
Third, pursuant to Article 30(1) and (2) of the APPI a data subject has a right to request from a PIHBO to discontinue using personal information, or to delete such information, when it is handled in violation of Article 16 (regarding purpose limitation) or has been improperly acquired in violation of Article 17 of the APPI (regarding acquisition by deceit, other improper means or, in case of sensitive data, without consent). Likewise, under Article 30(3) and (4) of the APPI, the individual has a right to request from the PIHBO to cease the provision of the information to a third party where this would violate the provisions of Article 23(1) or Article 24 of the APPI (regarding third party provision, including international transfers).
(89)
Differently from EU law, the APPI and relevant sub-statutory rules do not contain legal provisions specifically addressing the possibility to oppose processing for direct marketing purposes. However, such processing will, under this Decision, take place in the context of a transfer of personal data that was previously collected in the European Union. Under Article 21(2) of Regulation (EU) 2016/679, the data subject shall always have the possibility to oppose a transfer of data for the purpose of processing for direct marketing. Moreover, as explained in recital 43, under Supplementary Rule (3), a PIHBO is required to process the data received under the Decision for the same purpose for which the data have been transferred from the European Union, unless the data subject consents to change the utilisation purpose.Hence, if the transfer has been made for any purpose other than direct marketing, a PIHBO in Japan will be barred from processing the data for the purpose of direct marketing without consent of the EU data subject.
(93)
Differently from EU law, the APPI and relevant sub-statutory rules do not contain general provisions addressing the issue of decisions affecting the data subject and based solely on the automated processing of personal data. However, the issue is addressed in certain sectoral rules applicable in Japan that are particularly relevant for this type of processing. This includes sectors in which companies most likely resort to the automated processing of personal data to take decisions affecting individuals (e.g. the financial sector). For example, the "Comprehensive Guidelines for Supervision over Major Banks", as revised in June 2017, require that the concerned individual be provided with specific explanations on the reasons for the rejection of a request to conclude a loan agreement. Those rules thus offer protections in the likely rather limited number of cases where automated decisions would be taken by the "importing" Japanese business operator itself (rather than the "exporting" EU data controller).
(99)
Although not all provisions of Chapter IV, Section 1 of the APPI are listed in Article 42(1) – which also determines the scope of application of Article 42(2) – this can be explained by the fact that certain of those provisions do not concern obligations of the PIHBO (59) and that all essential protections are already afforded by other provisions that are included in that list. For instance, although Article 15 (requiring the PIHBO to set the utilisation purpose and process the relevant personal information exclusively within its scope) is not mentioned, failure to observe this requirement can give ground to a recommendation based on a violation of Article 16(1) (prohibiting the PIHBO to process personal information beyond what is necessary to achieve the utilisation purpose, unless it obtains the data subject's consent) (60). Another provision not listed in Article 42(1) is Article 19 of the APPI on data accuracy and retention. Non-compliance with that provision can be enforced either as a violation of Article 16(1) or based on a violation of Article 29(2), if the individual concerned asks for the correction or deletion of erroneous or excessive data and the PIHBO refuses to satisfy the request. As regards the rights of the data subject according to Articles 28(1), 29(1) and 30(1), oversight by the PPC is ensured by granting it enforcement powers with respect to the corresponding obligations of the PIHBO laid down in those Articles.
(100)
Pursuant to Article 42(1) of the APPI, the PPC can, if it recognizes that there is a "need for protecting an individual's rights and interests in cases where a [PIHBO] has violated" specific APPI provisions, issue a recommendation to "suspend the act of violating or take other necessary action to rectify the violation". Such a recommendation is not binding, but opens the way for a binding order pursuant to Article 42(2) of the APPI. Based on this provision, if the recommendation is not followed "without legitimate grounds" and the PPC "recognises that a serious infringement of an individual's rights and interests is imminent", it can order the PIHBO to take action in line with the recommendation.
(105)
Violations of the provisions of the APPI by a PIHBO can give rise to civil actions as well as criminal proceedings and sanctions. First, if an individual considers that his/her rights under Articles 28, 29 and 30 of the APPI have been infringed, (s)he may seek injunctive relief by asking the court to order a PIHBO to satisfy his/her request under one of these provisions, i.e. to disclose retained personal data (Article 28), to rectify retained personal data that is incorrect (Article 29) or to cease unlawful processing or third party provision (Article 30). Such an action may be brought without the need to rely on Article 709 of the Civil Code (63) or otherwise on tort law (64). In particular, this means that the individual does not have to prove any harm.
(106)
Second, in the case where an alleged infringement does not concern individual rights under Articles 28, 29 and 30 but general data protection principles or obligations of the PIHBO, the concerned individual may bring a civil action against the business operator based on the torts provisions of the Japanese Civil Code, especially Article 709. While a lawsuit under Article 709 requires, aside from fault (intention or negligence), a demonstration of harm, according to Article 710 of the Civil Code such harm may be both material and immaterial. No limitation is imposed as to the amount of compensation.
(108)
Third, in addition to civil law (tort) remedies, a data subject may file a complaint with a public prosecutor or judicial police official with respect to APPI violations that can lead to criminal sanctions. Chapter VII of the APPI contains a number of penal provisions. The most important one (Article 84) relates to non-compliance by the PIHBO with PPC orders pursuant to Article 42(2) and (3). If a business operator fails to comply with an order issued by the PPC, the PPC Chair (as well as any other government official) (66) may forward the case to the public prosecutor or judicial police official and in that way trigger the opening of a criminal procedure. The penalty for the violation of a PPC order is imprisonment with labour for up to six months or a fine of up to 300 000 yen. Other provisions of the APPI providing for sanctions in case of APPI violations affecting the rights and interests of data subjects include Article 83 of the APPI (regarding the "providing or using by stealth" of a personal information database "for the purpose of seeking […] illegal profits") and Article 88(i) of the APPI (regarding the failure by a third party to correctly inform the PIHBO when the latter receives personal data in accordance with Article 26(1) of the APPI, in particular on the details of the third party's own, prior acquisition of such data). The applicable penalties for such violations of the APPI are, respectively, imprisonment with work for up to one year or a fine of up to 500 000 yen (in case of Article 83) or an administrative fine of up to 100 000 yen (in case of Article 88(i)). While the threat of a criminal sanction is already likely to have a strong deterrent effect on the business management that directs the PIHBO's processing operations as well as on the individuals handling the data, Article 87 of the APPI clarifies that when a representative, employee or other worker of a corporate body has committed a violation pursuant to Articles 83 to 85 of the APPI, "the actor shall be punished and a fine set forth in the respective Articles shall be imposed on the said corporate body". In this case, both the employee and the company can be imposed sanctions up to the full maximum amount.
(114)
As an exercise of public authority, government access in Japan must be carried out in full respect of the law (legality principle). In this regard, the Constitution of Japan contains provisions limiting and framing the collection of personal data by public authorities. As already mentioned with respect to processing by business operators, basing itself on Article 13 of the Constitution which among others protects the right to liberty, the Supreme Court of Japan has recognised the right to privacy and data protection (72). One important aspect of that right is the freedom not to have one's personal information disclosed to a third party without permission (73). This implies a right to the effective protection of personal data against abuse and (in particular) illegal access. Additional protection is ensured by Article 35 of the Constitution on the right of all persons to be secure in their homes, papers and effects, which requires from public authorities to obtain a court warrant issued for "adequate cause" (74) in all cases of "searches and seizures". In its judgment of 15 March 2017 (GPS case), the Supreme Court has clarified that this warrant requirement applies whenever the government invades ("enters into") the private sphere in a way that suppresses the individual's will and thus by means of a "compulsory investigation". A judge may only issue such warrant based on a concrete suspicion of crimes, i.e. when provided with documentary evidence based on which the person concerned by the investigation can be considered as having committed a criminal offence (75). Consequently, Japanese authorities have no legal authority to collect personal information by compulsory means in situations where no violation of the law has yet occurred (76), for example in order to prevent a crime or other security threat (as is the case for investigations on grounds of national security).
(121)
As indicated in recital 115, any data collection as part of a coercive investigation must be specifically authorised by law and may only be carried out based on a court warrant "issued for adequate cause" (Article 35 of the Constitution). As regards the investigation of criminal offences, this requirement is reflected in the provisions of the Code of Criminal Procedure ("CCP"). According to Article 197(1) of the CCP, compulsory measures "shall not be applied unless special provisions have been established in this Code". With respect to the collection of electronic information, the only relevant (82) legal bases in this regard are Article 218 of the CCP (search and seizure) and Article 222-2 of the CCP, according to which compulsory measures for the interception of electronic communications without the consent of either party shall be executed based upon other acts, namely the Act on Wiretapping for Criminal Investigation ("Wiretapping Act"). In both cases, the warrant requirement applies.
(147)
Finally, under Article 1(1) of the State Redress Act a court may grant compensation where a public officer who exercises the public authority of the State has, in the course of his/her duties, unlawfully and with fault (intentionally or negligently) inflicted damage on the individual concerned. According to Article 4 of the State Redress Act, the State's liability for damages is based on the provisions of the Civil Code. In this respect, Article 710 of the Civil Code stipulates that liability also covers damages other than those to property, and hence moral damage (for instance in the form of "mental distress"). This includes cases where the privacy of an individual has been invaded by unlawful surveillance and/or the collection of his/her personal information (e.g. the illegal execution of a warrant) (121).
(155)
Finally, the PSIA may carry out investigations under the Subversive Activities Prevention Act ("SAPA") and the Act on the Control of Organisations Which Have Committed Acts of Indiscriminate Mass Murder ("ACO") where such investigations are necessary to prepare the adoption of control measures against certain organisations (126). Under both Acts, upon request by the Director-General of the PSIA the Public Security Examination Commission may issue certain "dispositions" (surveillance/prohibitions in the case of the ACO (127), dissolution/prohibitions in the case of the SAPA (128) and in this context the PSIA may carry out investigations (129). According to the information received, these investigations are always conducted on a voluntary basis, meaning that the PSIA may not force an owner of personal information to provide such information (130). Each time, controls and investigations shall be conducted only to the minimum extent necessary to achieve the control purpose and shall not under any circumstances be carried out to "unreasonably" restrict the rights and freedoms guaranteed under the Constitution of Japan (Article 3(1) of SAPA/ACO). Moreover, according to Article 3(2) of the SAPA/ACO, the PSIA must under no circumstances abuse such controls, or the investigations carried out to prepare such controls. If a Public Security Intelligence Officer has abused his/her authority under the respective Act by forcing a person to do anything which the person is not required to, or by interfering with the exercise of a person's rights, (s)he may be subject to criminal sanctions pursuant to Article 45 SAPA or Article 42 ACO. Finally, both Acts explicitly prescribe that their provisions, including the powers granted therein, shall "not under any circumstances be subject to an expanded interpretation" (Article 2 of SAPA/ACO).