(62)
As regards "retained personal data", Article 27 APPI provides that the PIHBO shall inform the data subject about its identity (contact details), the utilisation purpose and the procedures for responding to a request concerning the data subject's individual rights under Articles 28, 29 and 30 of the APPI.
(73)
Finally, the APPI creates a framework for the participation of sectoral industry organisations in ensuring a high level of compliance (see Chapter IV, Section 4). The role of such accredited personal information protection organisations (40) is to promote the protection of personal information by supporting businesses through their expertise, but also to contribute to the implementation of safeguards, notably by handling individual complaints and helping to solve related conflicts. To that end, they may request participating PIHBOs, if appropriate, to adopt necessary measures (41). Moreover, in case of data breaches or other security incidents PHIBOs shall in principle inform the PPC as well as the data subject (or the public) and take necessary action, including measures to minimise any damage and to prevent any recurrence of similar incidents (42). While those are voluntary schemes, on 10 August 2017 the PPC had listed 44 organisations, with the largest one, Japan Information Processing and Development Center (JIPDEC), alone counting 15 436 participating business operators (43). Accredited schemes include sector associations such as for instance the Japan Securities Dealers Association, the Japan Association of Car Driving Schools or the Association of Marriage Brokers (44).
(74)
Accredited personal information protection organisations submit annual reports on their operations. According to the "Overview of the Implementation Status [of] the APPI in FY 2015" published by the PPC, accredited personal information protection organisations received a total of 442 complaints, required 123 explanations from business operators under their jurisdiction, requested documents from these operators in 41 cases, gave 181 instructions and made two recommendations (45).
(78)
To ensure continuity of protection in case of personal data transferred from the European Union to Japan under this Decision, Supplementary Rule (4) enhances the level of protection for onward transfers of such data by the PIHBO to a third country recipient. It does so by limiting and framing the bases for international transfers that can be used by the PIHBO as an alternative to consent. More specifically, and without prejudice to the derogations set forth in Article 23(1) of the APPI, personal data transferred under this Decision may be subject to (onward) transfers without consent only in two cases: (i) where the data is sent to a third country which has been recognised by the PPC under Article 24 of the APPI as providing an equivalent level of protection to the one guaranteed in Japan (47); or (ii) where the PIHBO and the third party recipient have together implemented measures providing a level of protection equivalent to the APPI, read together with the Supplementary Rules, by means of a contract, other forms of binding agreements or binding arrangements within a corporate group. The second category corresponds to the instruments used under Regulation (EU) 2016/679 to ensure appropriate safeguards (in particular, contractual clauses and binding corporate rules). In addition, as confirmed by the PPC, even in those cases, the transfer remains subject to the general rules applicable to any provision of personal data to a third party under the APPI (i.e. the requirement to obtain consent under Article 23(1) or, alternatively, the information requirement with a possibility to opt out under Article 23(2) of the APPI). In case the data subject cannot be reached with a request for consent or in order to provide the required advance information under Article 23(2) of the APPI, the transfer may not take place.
(82)
First, pursuant to Article 28(1) and (2) of the APPI, a data subject has a right to request from a PIHBO to "disclos[e] retained personal data that can identify him- or herself" and, upon receipt of such a request, the PIHBO "shall […] disclose retained personal data" to the data subject. Article 29 (right to correction) and 30 (right to utilisation cease) have the same structure as Article 28.
(85)
According to Article 28(3) of the APPI, if the requested data does not exist, or where the PIHBO concerned decides not to grant access to the retained data, it is required to inform the individual without delay.
(86)
Second, pursuant to Article 29(1) and (2) of the APPI, a data subject has a right to request the correction, addition or deletion of his/her retained personal data in the case where the data is inaccurate. Upon receipt of such a request, the PIHBO "shall […] conduct a necessary investigation" and, based on the results of such an investigation, "make a correction etc. of the contents of the retained data".
(87)
Third, pursuant to Article 30(1) and (2) of the APPI a data subject has a right to request from a PIHBO to discontinue using personal information, or to delete such information, when it is handled in violation of Article 16 (regarding purpose limitation) or has been improperly acquired in violation of Article 17 of the APPI (regarding acquisition by deceit, other improper means or, in case of sensitive data, without consent). Likewise, under Article 30(3) and (4) of the APPI, the individual has a right to request from the PIHBO to cease the provision of the information to a third party where this would violate the provisions of Article 23(1) or Article 24 of the APPI (regarding third party provision, including international transfers).
(88)
When the request is founded, the PIHBO shall without delay discontinue the use of the data, or the provision to a third party, to the extent necessary to remedy the violation or, if a case is covered by an exception (notably if the utilisation cease would cause particularly high costs) (55), implement necessary alternative measures to protect the rights and interests of the individual concerned.
(90)
In all cases referred to in Articles 28 and 29 of the APPI, the PIHBO is required to notify the individual about the outcome of his/her request without delay, and moreover has to explain any (partial) refusal based on the statutory exceptions provided for in Articles 27 to 30 (Article 31 of the APPI).
(91)
As regards the conditions for making a request, Article 32 of the APPI (together with the Cabinet Order) allows the PIHBO to determine reasonable procedures, including in terms of the information needed to identify the retained personal data. However, according to paragraph 4 of this Article, PIHBOs must not impose an "excessive burden on a principal". In certain cases the PIHBOs may also impose fees as long as their amount stays "within the scope considered reasonable in consideration of actual costs" (Article 33 of the APPI).
(93)
Differently from EU law, the APPI and relevant sub-statutory rules do not contain general provisions addressing the issue of decisions affecting the data subject and based solely on the automated processing of personal data. However, the issue is addressed in certain sectoral rules applicable in Japan that are particularly relevant for this type of processing. This includes sectors in which companies most likely resort to the automated processing of personal data to take decisions affecting individuals (e.g. the financial sector). For example, the "Comprehensive Guidelines for Supervision over Major Banks", as revised in June 2017, require that the concerned individual be provided with specific explanations on the reasons for the rejection of a request to conclude a loan agreement. Those rules thus offer protections in the likely rather limited number of cases where automated decisions would be taken by the "importing" Japanese business operator itself (rather than the "exporting" EU data controller).
(97)
The powers of the PPC, which it exercises in full independence (58), are mainly provided for in Articles 40, 41 and 42 of the APPI. Under Article 40, the PPC may request PIHBOs to report or submit documents on processing operations and may also carry out inspections, both on-site and of books or other documents. To the extent necessary to enforce the APPI, the PPC may also provide PIHBOs with guidance or advice as regards the handling of personal information. The PPC has already made use of this power under Article 41 APPI by addressing guidance to Facebook, following the Facebook/Cambridge Analytica revelations.
(99)
Although not all provisions of Chapter IV, Section 1 of the APPI are listed in Article 42(1) – which also determines the scope of application of Article 42(2) – this can be explained by the fact that certain of those provisions do not concern obligations of the PIHBO (59) and that all essential protections are already afforded by other provisions that are included in that list. For instance, although Article 15 (requiring the PIHBO to set the utilisation purpose and process the relevant personal information exclusively within its scope) is not mentioned, failure to observe this requirement can give ground to a recommendation based on a violation of Article 16(1) (prohibiting the PIHBO to process personal information beyond what is necessary to achieve the utilisation purpose, unless it obtains the data subject's consent) (60). Another provision not listed in Article 42(1) is Article 19 of the APPI on data accuracy and retention. Non-compliance with that provision can be enforced either as a violation of Article 16(1) or based on a violation of Article 29(2), if the individual concerned asks for the correction or deletion of erroneous or excessive data and the PIHBO refuses to satisfy the request. As regards the rights of the data subject according to Articles 28(1), 29(1) and 30(1), oversight by the PPC is ensured by granting it enforcement powers with respect to the corresponding obligations of the PIHBO laid down in those Articles.
(105)
Violations of the provisions of the APPI by a PIHBO can give rise to civil actions as well as criminal proceedings and sanctions. First, if an individual considers that his/her rights under Articles 28, 29 and 30 of the APPI have been infringed, (s)he may seek injunctive relief by asking the court to order a PIHBO to satisfy his/her request under one of these provisions, i.e. to disclose retained personal data (Article 28), to rectify retained personal data that is incorrect (Article 29) or to cease unlawful processing or third party provision (Article 30). Such an action may be brought without the need to rely on Article 709 of the Civil Code (63) or otherwise on tort law (64). In particular, this means that the individual does not have to prove any harm.
(107)
As regards the available remedies, Article 709 of the Japanese Civil Code refers to monetary compensation. However, Japanese case law has interpreted this article as also conferring the right to obtain an injunction (65). Therefore, if a data subject brings an action under Article 709 of the Civil Code and claims that his/her rights or interests have been harmed by an infringement of an APPI provision by the defendant, that claim may include, besides compensation for damage, a request for injunctive relief, notably aiming at stopping any unlawful processing.
(110)
Where an individual is not satisfied with a course of action undertaken by the PPC, (s)he may file an administrative appeal under the Administrative Complaint Review Act (67). Conversely, where an individual considers that the PPC should have acted but failed to do so, an individual may request the PPC pursuant to Article 36-3 of that Act to make a disposition or provide administrative guidance if (s)he considers that "a disposition or administrative guidance necessary for the correction of the violation has not been rendered or imposed".
(120)
In the Japanese legal framework, the collection of electronic information for criminal law enforcement purposes is permissible based on a warrant (compulsory collection) or a request for voluntary disclosure.
(125)
Within the limits of their competence, public authorities may also collect electronic information based on requests for voluntary disclosure. This refers to a non-compulsory form of cooperation where compliance with the request cannot be enforced (88), thus relieving the public authorities from the duty of obtaining a court warrant.
(126)
To the extent such a request is directed at a business operator and concerns personal information, the business operator has to comply with the requirements of the APPI. According to Article 23(1) of the APPI, business operators may disclose personal information to third parties without consent of the individual concerned only in certain cases, including where the disclosure is "based on laws and regulations" (89). In the area of criminal law enforcement, the legal basis for such requests is provided by Article 197(2) of the CCP according to which "private organisations may be asked to report on necessary matters relating to the investigation." Since such an "enquiry sheet" is permissible only as part of a criminal investigation, it always presupposes a concrete suspicion of an already committed crime (90). Moreover, since such investigations are generally carried out by the Prefectural Police, the limitations pursuant to Article 2(2) of the Police Law (91) apply. According to that provision, the activities of the police are "strictly limited" to the fulfilment of their responsibilities and duties (that is to say the prevention, suppression and investigation of crimes). Moreover, in performing its duties, the police shall act in an impartial, unprejudiced and fair manner and must never abuse its powers "in such a way as to interfere with the rights and liberties of an individual guaranteed in the Constitution of Japan" (which include, as indicated, the right to privacy and data protection) (92).
(127)
Specifically with respect to Article 197(2) of the CCP, the National Police Agency ("NPA") – as the federal authority in charge, among others, of all matters concerning the criminal police – has issued instructions to the Prefectural Police (93) on the "proper use of written inquiries in investigative matters". According to this Notification, requests must be made using a pre-established form ("Form No. 49" or so-called "enquiry sheet") (94), concern records "regarding a specific investigation" and the requested information must be "necessary for [that] investigation". In each case, the chief investigator shall "fully examine the necessity, content, etc. of [the] individual enquiry" and must receive internal approval from a high-ranking official.
(129)
Aside from these limitations for the exercise of public authority, business operators themselves are expected to check ("confirm") the necessity and "rationality" of the provision to a third party (99). This includes the question whether they are prevented by law from cooperating. Such conflicting legal obligations may in particular follow from confidentiality obligations such as Article 134 of the Penal Code (concerning the relationship between a doctor, lawyer, priest, etc. and his/her client). Also, "any person engaged in the telecommunication business shall, while in office, maintain the secrets of others that have come to be known with respect to communications being handled by the telecommunication carrier" (Article 4(2) of the Telecommunication Business Act). This obligation is backed-up by the sanction stipulated in Article 179 of the Telecommunication Business Act, according to which any person that has violated the secrecy of communications being handled by a telecommunications carrier shall be guilty of a criminal offence and punished by imprisonment with labour of up to two years, or to a fine of not more than one million yen (100). While this requirement is not absolute and in particular allows for measures infringing the secrecy of communications that constitute "justifiable acts" within the meaning of Article 35 of the Penal Code (101), this exception does not cover the response to non-compulsory requests by public authorities for the disclosure of electronic information pursuant to Article 197(2) of the CCP.
(133)
While there is no ex-ante check by a judge in the case of requests for voluntary disclosure, business operators to whom such requests are addressed can object to them without risking any negative consequences (and will have to take into account the privacy impact of any disclosure). Moreover, according to Article 192(1) of the CCP, police officials shall always cooperate and coordinate their actions with the public prosecutor (and the Prefectural Public Safety Commission) (105). In turn, the public prosecutor may give the necessary general instructions setting forth standards for a fair investigation and/or issue specific orders with respect to an individual investigation (Article 193 of the CCP). Where such instructions and/or orders are not followed, the prosecution may file charges for disciplinary action (Article 194 of the CCP). Hence, the Prefectural Police operates under the supervision of the public prosecutor.
(134)
Second, according to Article 62 of the Constitution, each House of the Japanese parliament (the Diet) may conduct investigations in relation to the government, including with respect to the lawfulness of information collection by the police. To that end, it may demand the presence and testimony of witnesses, and/or the production of records. Those powers of inquiry are further specified in the Diet Law, in particular Chapter XII. In particular, Article 104 of the Diet Law provides that the Cabinet, public agencies and other parts of the government "must comply with the requests of a House or any of its Committees for the production of reports and records necessary for consideration of investigation." Refusal to comply is allowed only if the government provides a plausible reason found acceptable by the Diet, or upon issuance of a formal declaration that the production of the reports or records would be "gravely detrimental to the national interest" (106). In addition, Diet members may ask written questions to the Cabinet (Articles 74, 75 of the Diet Law), and in the past such "written inquiries" have also addressed the handling of personal information by the administration (107). The Diet's role in supervising the executive is supported by reporting obligations, for instance pursuant to Article 29 of the Wiretapping Act.
(136)
In addition, with respect to the correct application of the APPIHAO, the competent minister or agency head (e.g. the Commissioner General of the NPA) has enforcement authority, subject to the supervision by the Ministry of Internal Affairs and Communications (MIC). According to Article 49 APPIHAO, the MIC "may collect reports on the status of enforcement of this Act" from the heads of Administrative Organs (Minister). That oversight function is supported by input from MIC's 51 "comprehensive information centres" (one in each Prefecture throughout Japan) that each year handle thousands of inquiries from individuals (114) (which, in turn, may reveal possible violations of the law). Where it considers this necessary for ensuring compliance with the Act, MIC may request the submission of explanations and materials, and issue opinions, concerning the handling of personal information by the concerned Administrative Organ (Articles 50, 51 APPIHAO).
(139)
In addition, Article 79 of the Police Law guarantees individuals who have concerns with respect to the "execution of duties" by police personnel the right to lodge a complaint with the (competent) independent Prefectural Public Safety Commission. The Commission will "faithfully" handle such complaints in accordance with laws and local ordinances and shall notify the complainant in writing of the results. Based on its authority to supervise and "direct" the Prefectural Police with respect to "personnel's misconduct" (Articles 38(3), 43-2(1) of the Police Law), it may request the Prefectural Police to investigate the facts, take appropriate measures based on the outcome of this investigation and report on the results. If it considers that the investigation carried out by the Police has not been adequate, the Commission may also provide instructions on the handling of the complaint.
(144)
Once the evaluation is concluded, the PPC shall notify the individual within a reasonable period of time of the outcome of the evaluation, including any corrective action taken where applicable. At the same time, the PPC shall also inform the individual about the possibility of seeking a confirmation of the outcome from the competent public authority and the identity of the authority to which such a request for confirmation should be made. The possibility to receive such a confirmation, including the reasons underpinning the decision of the competent authority, may be of assistance to the individual in taking any further steps, including when seeking judicial redress. Detailed information on the outcome of the evaluation can be restricted as long as there are reasonable grounds to consider that communicating such information is likely to pose a risk to the ongoing investigation.
(145)
Third, an individual who disagrees with a seizure decision (warrant) (118) concerning his/her personal data by a judge, or with the measures by the police or prosecution executing such a decision, may file a request for that decision or such measures to be rescinded or altered (Articles 429(1), 430(1), (2) of the CCP, Article 26 of the Wiretapping Act) (119). In the case where the reviewing court considers that either the warrant itself or its execution ("procedure for seizure") is illegal, it will grant the request and order the seized articles to be returned (120).
(151)
According to the Japanese authorities, there is no law in Japan permitting compulsory requests for information or "administrative wiretapping" outside criminal investigations. Hence, on national security grounds information may only be obtained from an information source that can be freely accessed by anyone or by voluntary disclosure. Business operators receiving a request for voluntary cooperation (in the form of disclosure of electronic information) are under no legal obligation to provide such information (124).
(155)
Finally, the PSIA may carry out investigations under the Subversive Activities Prevention Act ("SAPA") and the Act on the Control of Organisations Which Have Committed Acts of Indiscriminate Mass Murder ("ACO") where such investigations are necessary to prepare the adoption of control measures against certain organisations (126). Under both Acts, upon request by the Director-General of the PSIA the Public Security Examination Commission may issue certain "dispositions" (surveillance/prohibitions in the case of the ACO (127), dissolution/prohibitions in the case of the SAPA (128) and in this context the PSIA may carry out investigations (129). According to the information received, these investigations are always conducted on a voluntary basis, meaning that the PSIA may not force an owner of personal information to provide such information (130). Each time, controls and investigations shall be conducted only to the minimum extent necessary to achieve the control purpose and shall not under any circumstances be carried out to "unreasonably" restrict the rights and freedoms guaranteed under the Constitution of Japan (Article 3(1) of SAPA/ACO). Moreover, according to Article 3(2) of the SAPA/ACO, the PSIA must under no circumstances abuse such controls, or the investigations carried out to prepare such controls. If a Public Security Intelligence Officer has abused his/her authority under the respective Act by forcing a person to do anything which the person is not required to, or by interfering with the exercise of a person's rights, (s)he may be subject to criminal sanctions pursuant to Article 45 SAPA or Article 42 ACO. Finally, both Acts explicitly prescribe that their provisions, including the powers granted therein, shall "not under any circumstances be subject to an expanded interpretation" (Article 2 of SAPA/ACO).
(161)
As regards MOD, oversight is exercised by the Inspector General's Office of Legal Compliance (IGO) (134) that has been established based on Article 29 of the MOD Establishment Act as an office within the MOD under the supervision of the Minister of Defence (to which it reports) but independent from MOD's operational departments. The IGO has the task of ensuring compliance with laws and regulations as well as the proper execution of duties by MOD officials. Among its powers is the authority to carry out so-called "Defence Inspections", both at regular intervals ("Regular Defence Inspections") and in individual cases ("Special Defence Inspections"), which in the past have also covered the proper handling of personal information (135). In the context of such inspections, the IGO may enter sites (offices) and request the submission of documents or information, including explanations by the Deputy Vice-Minister of the MOD. The inspection is concluded through a report to the Minister of Defence setting out the findings and measures for improvement (the implementation of which can again be checked through further inspections). The report in turn forms the basis for instructions from the Minister of Defence to implement the measures necessary to address the situation; the Deputy Vice-Minister is charged with carrying out such measures and has to report on the follow-up.
(166)
Moreover, unlike for criminal investigations, individuals (including foreign nationals living abroad) have in principle a right to disclosure (139), correction (including deletion) and suspension of use/provision under the APPIHAO. This being said, the head of the Administrative Organ may refuse disclosure with respect to information "for which there are reasonable grounds […] to find that disclosure is likely to cause harm to national security" (Article 14(iv) APPIHAO) and may even do so without revealing the existence of such information (Article 17 APPIHAO). Likewise, while an individual may request suspension of use or deletion pursuant to Article 36(1)(i) APPIHAO in case the Administrative Organ has obtained the information unlawfully or retains/uses it beyond what is necessary to achieve the specified purpose, the authority may reject the request if it finds that the suspension of use "is likely to hinder the proper execution of the affairs pertaining to the Purpose of Use of the Retained Personal Information due to the nature of the said affairs" (Article 38 APPIHAO). Still, where it is possible to easily separate and exclude portions that are subject to an exception, Administrative Organs are required to grant at least partial disclosure (see e.g. Article 15(1) APPIHAO) (140).
(167)
In any event, the Administrative Organ has to take a written decision within a certain period (30 days, which under certain conditions can be extended by an additional 30 days). If the request is rejected, only partially granted, or if the individual for other reasons considers the conduct of the Administrative Organ to be "illegal or unjust", the individual may request administrative review based on the Administrative Complaint Review Act (141). In such a case, the head of the Administrative Organ deciding on the appeal shall consult the Information Disclosure and Personal Information Protection Review Board (Articles 42, 43 APPIHAO), a specialised, independent board whose members are appointed by the Prime Minister with consent of both Houses of the Diet. According to the information received, the Review Board may carry out an examination (142) and in this respect request the Administrative Organ to provide the retained personal information, including any classified content, as well as further information and documents. While the ultimate report sent to the complainant as well as the Administrative Organ and made public is not legally binding, it is in almost all cases followed (143). Moreover, the individual has the possibility to challenge the appeal decision in court based on the Administrative Case Litigation Act. This opens the way for judicial control of the use of the national security exception(s), including of whether such an exception has been abused or is still justified.
(168)
In order to facilitate the exercise of the above-mentioned rights under the APPIHAO, the MIC has established 51 "comprehensive information centres" that provide consolidated information on those rights, the applicable procedures to make a request and possible avenues for redress (144). As regards the Administrative Organs, they are required to provide "information that contributes to specifying the Retained Personal Information held" (145) and to take "other adequate measures in consideration of the convenience of the person who intends to make the request" (Article 47(1) of the APPIHAO).
(182)
To perform the review, the Commission should meet with the PPC, accompanied, where appropriate, by other Japanese authorities responsible for government access, including relevant oversight bodies. The participation in this meeting should be open to representatives of the members of the European Data Protection Board (EDPB). In the framework of the Joint Review, the Commission should request the PPC to provide comprehensive information on all aspects relevant for the adequacy finding, including on the limitations and safeguards concerning government access (152). The Commission should also seek explanations on any information relevant for this Decision that it has received, including public reports by Japanese authorities or other stakeholders in Japan, the EDPB, individual DPAs, civil society groups, media reports, or any other available source of information.
(184)
Where, on the basis of the regular and ad hoc checks or any other information available, the Commission concludes that the level of protection afforded by the Japanese legal order can no longer be regarded as essentially equivalent to that in the European Union, it should inform the competent Japanese authorities thereof and request that appropriate measures be taken within a specified, reasonable timeframe. This includes the rules applicable to both business operators and Japanese public authorities responsible for criminal law enforcement or national security. For example, such a procedure would be triggered in cases where onward transfers, including on the basis of decisions adopted by the PPC under Article 24 of the APPI recognising a third country as providing an equivalent level of protection to the one guaranteed in Japan, will no longer be carried out under safeguards ensuring the continuity of protection within the meaning of Article 44 of the GDPR.