(3)
As specified in Article 45(2) of Regulation (EU) 2016/679, the adoption of an adequacy decision has to be based on a comprehensive analysis of the third country's legal order, with respect to both the rules applicable to the data importers and the limitations and safeguards as regards access to personal data by public authorities. The assessment has to determine whether the third country in question guarantees a level of protection "essentially equivalent" to that ensured within the European Union (recital 104 of Regulation (EU) 2016/679). As clarified by the Court of Justice of the European Union, this does not require an identical level of protection (2). In particular, the means to which the third country in question has recourse may differ from the ones employed in the European Union, as long as they prove, in practice, effective for ensuring an adequate level of protection (3). The adequacy standard therefore does not require a point-to-point replication of Union rules. Rather, the test lies in whether, through the substance of privacy rights and their effective implementation, supervision and enforcement, the foreign system as a whole delivers the required level of protection (4).
(7)
Article 13 of the Constitution states:
"All of the people shall be respected as individuals. Their right to life, liberty, and the pursuit of happiness shall, to the extent that it does not interfere with the public welfare, be the supreme consideration in legislation and in other governmental affairs."
(26)
In order to address this situation, Supplementary Rule (2) requires that personal data transferred from the European Union "be handled as retained personal data within the meaning of Article 2, paragraph 7 of the Act, irrespective of the period within which it is set to be deleted". Hence, the retention period will have no bearing on the rights afforded to EU data subjects.
(41)
In that respect, Article 15(2) of the APPI provides that the initial purpose must not be altered by the PIHBO "beyond the scope recognized reasonably relevant to the pre-altered utilization purpose", interpreted in the PPC Guidelines as corresponding to what can be objectively anticipated by the data subject based on "normal social conventions" (26).
(63)
As under the Supplementary Rules personal data transferred from the European Union will be considered "retained personal data" irrespective of their retention period (unless covered by exemptions), they will always be subject to the transparency requirements under both of the aforementioned provisions.
(84)
These rights are subject to three types of restrictions, relating to the individual's own or third parties’ rights and interests (51), serious interference with the PIHBO's business operations (52) as well as cases in which disclosure would violate other laws or regulations (53). The situations in which these restrictions would apply are similar to some of the exceptions applicable under Article 23(1) of Regulation (EU) 2016/679, which allows for restrictions of the rights of individuals for reasons related to the "protection of the data subject or the rights and freedoms of others" or "other important objectives of general public interest". Although the category of cases in which disclosure would violate "other laws or regulations" may appear broad, laws and regulations providing for limitations in this regard must respect the constitutional right to privacy and may impose restrictions only to the extent that the exercise of this right would "interfere with the public welfare" (54). This requires a balancing of the interests at stake.
(99)
Although not all provisions of Chapter IV, Section 1 of the APPI are listed in Article 42(1) – which also determines the scope of application of Article 42(2) – this can be explained by the fact that certain of those provisions do not concern obligations of the PIHBO (59) and that all essential protections are already afforded by other provisions that are included in that list. For instance, although Article 15 (requiring the PIHBO to set the utilisation purpose and process the relevant personal information exclusively within its scope) is not mentioned, failure to observe this requirement can give ground to a recommendation based on a violation of Article 16(1) (prohibiting the PIHBO to process personal information beyond what is necessary to achieve the utilisation purpose, unless it obtains the data subject's consent) (60). Another provision not listed in Article 42(1) is Article 19 of the APPI on data accuracy and retention. Non-compliance with that provision can be enforced either as a violation of Article 16(1) or based on a violation of Article 29(2), if the individual concerned asks for the correction or deletion of erroneous or excessive data and the PIHBO refuses to satisfy the request. As regards the rights of the data subject according to Articles 28(1), 29(1) and 30(1), oversight by the PPC is ensured by granting it enforcement powers with respect to the corresponding obligations of the PIHBO laid down in those Articles.
(104)
Before or instead of seeking administrative or judicial redress, an individual may decide to submit a complaint about the processing of his/her personal data to the controller itself. Based on Article 35 of the APPI, PIHBOs shall endeavour to deal with such complaints "appropriately and promptly" and establish internal complaint-handling systems to achieve this objective. In addition, under Article 61(ii) of the APPI the PPC is responsible for the "necessary mediation on a lodged complaint and cooperation offered to a business operator who deals with the complaint", which in both cases includes complaints submitted by foreigners. In this regard, the Japanese legislator has also entrusted the central government with the task of taking "necessary action" to enable and facilitate the resolution of complaints by PIHBOs (Article 9), while local governments shall endeavour to ensure mediation in such cases (Article 13). In that respect, individuals may lodge a complaint with one of the more than 1 700 consumer centres established by local governments based on the Consumer Safety Act (61), in addition to the possibility of lodging a complaint with the National Consumer Affairs Centre of Japan. Such complaints may also be brought with respect to a violation of the APPI. Under Article 19 of the Basic Consumer Act (62), local governments shall endeavour to engage in mediation with respect to complaints and provide the parties with necessary expertise. Those dispute resolution mechanisms appear quite effective, with a resolution rate of 91,2 % concerning more than 75 000 complaint cases in 2015.
(108)
Third, in addition to civil law (tort) remedies, a data subject may file a complaint with a public prosecutor or judicial police official with respect to APPI violations that can lead to criminal sanctions. Chapter VII of the APPI contains a number of penal provisions. The most important one (Article 84) relates to non-compliance by the PIHBO with PPC orders pursuant to Article 42(2) and (3). If a business operator fails to comply with an order issued by the PPC, the PPC Chair (as well as any other government official) (66) may forward the case to the public prosecutor or judicial police official and in that way trigger the opening of a criminal procedure. The penalty for the violation of a PPC order is imprisonment with labour for up to six months or a fine of up to 300 000 yen. Other provisions of the APPI providing for sanctions in case of APPI violations affecting the rights and interests of data subjects include Article 83 of the APPI (regarding the "providing or using by stealth" of a personal information database "for the purpose of seeking […] illegal profits") and Article 88(i) of the APPI (regarding the failure by a third party to correctly inform the PIHBO when the latter receives personal data in accordance with Article 26(1) of the APPI, in particular on the details of the third party's own, prior acquisition of such data). The applicable penalties for such violations of the APPI are, respectively, imprisonment with work for up to one year or a fine of up to 500 000 yen (in case of Article 83) or an administrative fine of up to 100 000 yen (in case of Article 88(i)). While the threat of a criminal sanction is already likely to have a strong deterrent effect on the business management that directs the PIHBO's processing operations as well as on the individuals handling the data, Article 87 of the APPI clarifies that when a representative, employee or other worker of a corporate body has committed a violation pursuant to Articles 83 to 85 of the APPI, "the actor shall be punished and a fine set forth in the respective Articles shall be imposed on the said corporate body". In this case, both the employee and the company can be imposed sanctions up to the full maximum amount.
(109)
Finally, individuals may also seek redress against the PPC's actions or inactions. In this respect, Japanese law provides several avenues of administrative and judicial redress.
(113)
The Commission has also assessed the limitations and safeguards, including the oversight and individual redress mechanisms available in Japanese law as regards the collection and subsequent use of personal data transferred to business operators in Japan by public authorities for public interest, in particular criminal law enforcement and national security purposes ("government access"). In this respect, the Japanese government has provided the Commission with official representations, assurances and commitments signed at the highest ministerial and agency level that are contained in Annex II to this Decision.
(114)
As an exercise of public authority, government access in Japan must be carried out in full respect of the law (legality principle). In this regard, the Constitution of Japan contains provisions limiting and framing the collection of personal data by public authorities. As already mentioned with respect to processing by business operators, basing itself on Article 13 of the Constitution which among others protects the right to liberty, the Supreme Court of Japan has recognised the right to privacy and data protection (72). One important aspect of that right is the freedom not to have one's personal information disclosed to a third party without permission (73). This implies a right to the effective protection of personal data against abuse and (in particular) illegal access. Additional protection is ensured by Article 35 of the Constitution on the right of all persons to be secure in their homes, papers and effects, which requires from public authorities to obtain a court warrant issued for "adequate cause" (74) in all cases of "searches and seizures". In its judgment of 15 March 2017 (GPS case), the Supreme Court has clarified that this warrant requirement applies whenever the government invades ("enters into") the private sphere in a way that suppresses the individual's will and thus by means of a "compulsory investigation". A judge may only issue such warrant based on a concrete suspicion of crimes, i.e. when provided with documentary evidence based on which the person concerned by the investigation can be considered as having committed a criminal offence (75). Consequently, Japanese authorities have no legal authority to collect personal information by compulsory means in situations where no violation of the law has yet occurred (76), for example in order to prevent a crime or other security threat (as is the case for investigations on grounds of national security).
(118)
As regards specifically the right to data protection, Chapter III, Sections 1, 2 and 3 of the APPI lays down general principles covering all sectors, including the public sector. In particular, Article 3 of the APPI provides that all personal information must be handled in accordance with the principle of respect for the personality of individuals. Once personal information, including as part of electronic records, has been collected ("obtained") by public authorities (78), its handling is governed by the Act on the Protection of Personal Information held by Administrative Organs ("APPIHAO") (79). This includes in principle (80) also the processing of personal information for criminal law enforcement or national security purposes. Among others, the APPIHAO provides that public authorities: (i) may only retain personal information to the extent this is necessary for carrying out their duties; (ii) shall not use such information for an "unjust" purpose or disclose it to a third person without justification; (iii) shall specify the purpose and not change that purpose beyond what can reasonably be considered as relevant for the original purpose (purpose limitation); (iv) shall in principle not use or provide a third person with the retained personal information for other purposes and, if they consider this necessary, impose restrictions on the purpose or method of use by third parties; (v) shall endeavour to ensure the correctness of the information (data quality); (vi) shall take the necessary measures for the proper management of the information and to prevent leakage, loss or damage (data security); and (vii) shall endeavour to properly and expeditiously process any complaints regarding the processing of the information (81).
(121)
As indicated in recital 115, any data collection as part of a coercive investigation must be specifically authorised by law and may only be carried out based on a court warrant "issued for adequate cause" (Article 35 of the Constitution). As regards the investigation of criminal offences, this requirement is reflected in the provisions of the Code of Criminal Procedure ("CCP"). According to Article 197(1) of the CCP, compulsory measures "shall not be applied unless special provisions have been established in this Code". With respect to the collection of electronic information, the only relevant (82) legal bases in this regard are Article 218 of the CCP (search and seizure) and Article 222-2 of the CCP, according to which compulsory measures for the interception of electronic communications without the consent of either party shall be executed based upon other acts, namely the Act on Wiretapping for Criminal Investigation ("Wiretapping Act"). In both cases, the warrant requirement applies.
(127)
Specifically with respect to Article 197(2) of the CCP, the National Police Agency ("NPA") – as the federal authority in charge, among others, of all matters concerning the criminal police – has issued instructions to the Prefectural Police (93) on the "proper use of written inquiries in investigative matters". According to this Notification, requests must be made using a pre-established form ("Form No. 49" or so-called "enquiry sheet") (94), concern records "regarding a specific investigation" and the requested information must be "necessary for [that] investigation". In each case, the chief investigator shall "fully examine the necessity, content, etc. of [the] individual enquiry" and must receive internal approval from a high-ranking official.
(128)
Moreover, in two judgments from 1969 and 2008 (95), the Supreme Court of Japan has stipulated limitations with respect to non-compulsory measures that interfere with the right to privacy (96). In particular, the court considered that such measures must be "reasonable" and stay within "generally allowable limits", that is to say they must be necessary for the investigation of a suspect (collection of evidence) and carried out "by appropriate methods for achieving the purpose of [the] investigation" (97). The judgments show that this entails a proportionality test, taking into account all the circumstances of the case (e.g. the level of interference with the right to privacy, including the expectation of privacy, the seriousness of the crime, the likelihood to obtain useful evidence, the importance of that evidence, possible alternative means of investigation, etc.) (98).
(129)
Aside from these limitations for the exercise of public authority, business operators themselves are expected to check ("confirm") the necessity and "rationality" of the provision to a third party (99). This includes the question whether they are prevented by law from cooperating. Such conflicting legal obligations may in particular follow from confidentiality obligations such as Article 134 of the Penal Code (concerning the relationship between a doctor, lawyer, priest, etc. and his/her client). Also, "any person engaged in the telecommunication business shall, while in office, maintain the secrets of others that have come to be known with respect to communications being handled by the telecommunication carrier" (Article 4(2) of the Telecommunication Business Act). This obligation is backed-up by the sanction stipulated in Article 179 of the Telecommunication Business Act, according to which any person that has violated the secrecy of communications being handled by a telecommunications carrier shall be guilty of a criminal offence and punished by imprisonment with labour of up to two years, or to a fine of not more than one million yen (100). While this requirement is not absolute and in particular allows for measures infringing the secrecy of communications that constitute "justifiable acts" within the meaning of Article 35 of the Penal Code (101), this exception does not cover the response to non-compulsory requests by public authorities for the disclosure of electronic information pursuant to Article 197(2) of the CCP.
(133)
While there is no ex-ante check by a judge in the case of requests for voluntary disclosure, business operators to whom such requests are addressed can object to them without risking any negative consequences (and will have to take into account the privacy impact of any disclosure). Moreover, according to Article 192(1) of the CCP, police officials shall always cooperate and coordinate their actions with the public prosecutor (and the Prefectural Public Safety Commission) (105). In turn, the public prosecutor may give the necessary general instructions setting forth standards for a fair investigation and/or issue specific orders with respect to an individual investigation (Article 193 of the CCP). Where such instructions and/or orders are not followed, the prosecution may file charges for disciplinary action (Article 194 of the CCP). Hence, the Prefectural Police operates under the supervision of the public prosecutor.
(134)
Second, according to Article 62 of the Constitution, each House of the Japanese parliament (the Diet) may conduct investigations in relation to the government, including with respect to the lawfulness of information collection by the police. To that end, it may demand the presence and testimony of witnesses, and/or the production of records. Those powers of inquiry are further specified in the Diet Law, in particular Chapter XII. In particular, Article 104 of the Diet Law provides that the Cabinet, public agencies and other parts of the government "must comply with the requests of a House or any of its Committees for the production of reports and records necessary for consideration of investigation." Refusal to comply is allowed only if the government provides a plausible reason found acceptable by the Diet, or upon issuance of a formal declaration that the production of the reports or records would be "gravely detrimental to the national interest" (106). In addition, Diet members may ask written questions to the Cabinet (Articles 74, 75 of the Diet Law), and in the past such "written inquiries" have also addressed the handling of personal information by the administration (107). The Diet's role in supervising the executive is supported by reporting obligations, for instance pursuant to Article 29 of the Wiretapping Act.
(136)
In addition, with respect to the correct application of the APPIHAO, the competent minister or agency head (e.g. the Commissioner General of the NPA) has enforcement authority, subject to the supervision by the Ministry of Internal Affairs and Communications (MIC). According to Article 49 APPIHAO, the MIC "may collect reports on the status of enforcement of this Act" from the heads of Administrative Organs (Minister). That oversight function is supported by input from MIC's 51 "comprehensive information centres" (one in each Prefecture throughout Japan) that each year handle thousands of inquiries from individuals (114) (which, in turn, may reveal possible violations of the law). Where it considers this necessary for ensuring compliance with the Act, MIC may request the submission of explanations and materials, and issue opinions, concerning the handling of personal information by the concerned Administrative Organ (Articles 50, 51 APPIHAO).
(138)
First, with respect to personal information collected by Administrative Organs, the latter are under an obligation to "endeavour to properly and expeditiously process any complaints" regarding its subsequent processing (Article 48 of the APPIHAO). While Chapter IV of the APPIHAO on individual rights is not applicable with respect to personal information recorded in "documents relating to trials and seized articles" (Article 53-2(2) of the CCP) – which covers personal information collected as part of criminal investigations – individuals may bring a complaint to invoke the general data protection principles such as for instance the obligation to only retain personal information "when the retention is necessary for performing [law enforcement functions]" (Article 3(1) of the APPIHAO).
(139)
In addition, Article 79 of the Police Law guarantees individuals who have concerns with respect to the "execution of duties" by police personnel the right to lodge a complaint with the (competent) independent Prefectural Public Safety Commission. The Commission will "faithfully" handle such complaints in accordance with laws and local ordinances and shall notify the complainant in writing of the results. Based on its authority to supervise and "direct" the Prefectural Police with respect to "personnel's misconduct" (Articles 38(3), 43-2(1) of the Police Law), it may request the Prefectural Police to investigate the facts, take appropriate measures based on the outcome of this investigation and report on the results. If it considers that the investigation carried out by the Police has not been adequate, the Commission may also provide instructions on the handling of the complaint.
(141)
Second, given that redress will naturally have to be sought abroad in a foreign system and in a foreign language, in order to facilitate redress for EU individuals whose personal data is transferred to business operators in Japan and then accessed by public authorities, the Japanese government has made use of its powers to create a specific mechanism, administered and supervised by PPC, for handling and resolving complaints in this field. That mechanism builds on the cooperation obligation imposed on Japanese public authorities under the APPI and the special role of the PPC with respect to international data transfers from third countries under Article 6 of the APPI and the Basic Policy (as established by the Japanese government through Cabinet Order). The details of this mechanism are set out in the official representations, assurances and commitments received from the Japanese government and attached to this Decision as Annex II. The mechanism is not subject to any standing requirement and is open to any individual, independently of whether (s)he is suspected or accused of a criminal offence.
(147)
Finally, under Article 1(1) of the State Redress Act a court may grant compensation where a public officer who exercises the public authority of the State has, in the course of his/her duties, unlawfully and with fault (intentionally or negligently) inflicted damage on the individual concerned. According to Article 4 of the State Redress Act, the State's liability for damages is based on the provisions of the Civil Code. In this respect, Article 710 of the Civil Code stipulates that liability also covers damages other than those to property, and hence moral damage (for instance in the form of "mental distress"). This includes cases where the privacy of an individual has been invaded by unlawful surveillance and/or the collection of his/her personal information (e.g. the illegal execution of a warrant) (121).
(149)
With respect to all those redress avenues, the dispute resolution mechanism created by the Japanese government provides that an individual who is still dissatisfied with the outcome of the procedure can address the PPC "which shall inform the individual of the various possibilities and detailed procedures for obtaining redress under Japanese laws and regulations." Moreover, the PPC "will provide the individual with support, including counselling and assistance in bringing any further action to the relevant administrative or judicial body."
(155)
Finally, the PSIA may carry out investigations under the Subversive Activities Prevention Act ("SAPA") and the Act on the Control of Organisations Which Have Committed Acts of Indiscriminate Mass Murder ("ACO") where such investigations are necessary to prepare the adoption of control measures against certain organisations (126). Under both Acts, upon request by the Director-General of the PSIA the Public Security Examination Commission may issue certain "dispositions" (surveillance/prohibitions in the case of the ACO (127), dissolution/prohibitions in the case of the SAPA (128) and in this context the PSIA may carry out investigations (129). According to the information received, these investigations are always conducted on a voluntary basis, meaning that the PSIA may not force an owner of personal information to provide such information (130). Each time, controls and investigations shall be conducted only to the minimum extent necessary to achieve the control purpose and shall not under any circumstances be carried out to "unreasonably" restrict the rights and freedoms guaranteed under the Constitution of Japan (Article 3(1) of SAPA/ACO). Moreover, according to Article 3(2) of the SAPA/ACO, the PSIA must under no circumstances abuse such controls, or the investigations carried out to prepare such controls. If a Public Security Intelligence Officer has abused his/her authority under the respective Act by forcing a person to do anything which the person is not required to, or by interfering with the exercise of a person's rights, (s)he may be subject to criminal sanctions pursuant to Article 45 SAPA or Article 42 ACO. Finally, both Acts explicitly prescribe that their provisions, including the powers granted therein, shall "not under any circumstances be subject to an expanded interpretation" (Article 2 of SAPA/ACO).
(162)
As regards the Prefectural Police, oversight is ensured by the independent Prefectural Public Safety Commissions, as explained in recital 135 with respect to criminal law enforcement.
(163)
Finally, as indicated, the PSIA may only carry out investigations to the extent this is necessary with respect to the adoption of a prohibition, dissolution or surveillance disposition under the SAPA/ACO, and for these dispositions the independent (136) Public Security Examination Commission exercises ex ante oversight. In addition, regular/periodic inspections (which in a comprehensive manner look at PSIA's operations) (137) and special internal inspections (138) on the activities of individual departments/offices etc. are carried out by specifically designated inspectors and may lead to instructions to the heads of relevant departments etc. to take corrective or improvement measures.
(165)
As regards individual redress, with respect to personal information collected and thus "retained" by Administrative Organs, the latter are under an obligation to "endeavour to properly and expeditiously process any complaints" regarding such processing (Article 48 APPIHAO).
(166)
Moreover, unlike for criminal investigations, individuals (including foreign nationals living abroad) have in principle a right to disclosure (139), correction (including deletion) and suspension of use/provision under the APPIHAO. This being said, the head of the Administrative Organ may refuse disclosure with respect to information "for which there are reasonable grounds […] to find that disclosure is likely to cause harm to national security" (Article 14(iv) APPIHAO) and may even do so without revealing the existence of such information (Article 17 APPIHAO). Likewise, while an individual may request suspension of use or deletion pursuant to Article 36(1)(i) APPIHAO in case the Administrative Organ has obtained the information unlawfully or retains/uses it beyond what is necessary to achieve the specified purpose, the authority may reject the request if it finds that the suspension of use "is likely to hinder the proper execution of the affairs pertaining to the Purpose of Use of the Retained Personal Information due to the nature of the said affairs" (Article 38 APPIHAO). Still, where it is possible to easily separate and exclude portions that are subject to an exception, Administrative Organs are required to grant at least partial disclosure (see e.g. Article 15(1) APPIHAO) (140).
(167)
In any event, the Administrative Organ has to take a written decision within a certain period (30 days, which under certain conditions can be extended by an additional 30 days). If the request is rejected, only partially granted, or if the individual for other reasons considers the conduct of the Administrative Organ to be "illegal or unjust", the individual may request administrative review based on the Administrative Complaint Review Act (141). In such a case, the head of the Administrative Organ deciding on the appeal shall consult the Information Disclosure and Personal Information Protection Review Board (Articles 42, 43 APPIHAO), a specialised, independent board whose members are appointed by the Prime Minister with consent of both Houses of the Diet. According to the information received, the Review Board may carry out an examination (142) and in this respect request the Administrative Organ to provide the retained personal information, including any classified content, as well as further information and documents. While the ultimate report sent to the complainant as well as the Administrative Organ and made public is not legally binding, it is in almost all cases followed (143). Moreover, the individual has the possibility to challenge the appeal decision in court based on the Administrative Case Litigation Act. This opens the way for judicial control of the use of the national security exception(s), including of whether such an exception has been abused or is still justified.
(176)
According to the case law of the Court of Justice (147), and as recognized in Article 45(4) of Regulation (EU) 2016/679, the Commission should continuously monitor relevant developments in the third country after the adoption of an adequacy decision in order to assess whether Japan still ensures an essentially equivalent level of protection. Such a check is required, in any event, when the Commission receives information giving rise to a justified doubt in that respect.
(181)
To this end, this Decision should be subject to a first review within two years after its entry into force. Following that first review, and depending on its outcome, the Commission will decide in close consultation with the Committee established under Article 93(1) of the GDPR whether the two-year-cycle should be maintained. In any case, the subsequent reviews should take place at least every four years (151). The review should cover all aspects of the functioning of this Decision, and in particular the application of the Supplementary Rules (with special attention paid to protections afforded in case of onward transfers), the application of the rules on consent, including in case of withdrawal, the effectiveness of the exercise of individual rights, as well as the limitations and safeguards with respect to government access, including the redress mechanism as set out in Annex II to this Decision. It should also cover the effectiveness of oversight and enforcement, as regards the rules applicable to both PIHBOs and in the area of criminal law enforcement and national security.
(187)
The Commission should also consider initiating the procedure leading to the amendment, suspension or repeal of this Decision if, in the context of the Joint Review or otherwise, the competent Japanese authorities fail to provide the information or clarifications necessary for the assessment of the level of protection afforded to personal data transferred from the European Union to Japan or compliance with this Decision. In this respect, the Commission should take into account the extent to which the relevant information can be obtained from other sources.