(1)
Regulation (EU) 2016/679 sets out the rules for the transfer of personal data from controllers or processors in the European Union to third countries and international organisations to the extent that such transfers fall within its scope. The rules on international transfers of personal data are laid down in Chapter V of that Regulation, more specifically in Articles 44 to 50. The flow of personal data to and from countries outside the European Union is necessary for the expansion of international cooperation and international trade, while guaranteeing that the level of protection afforded to personal data in the European Union is not undermined.
(2)
Pursuant to Article 45(3) of Regulation (EU) 2016/679, the Commission may decide, by means of an implementing act, that a third country, a territory or one or more specified sectors within a third country or an international organisation ensure an adequate level of protection. Under this condition, transfers of personal data to that third country, territory, sector or international organisation can take place without the need to obtain any further authorisation, as provided for in Article 45(1) and recital 103 of the Regulation.
(5)
This Decision has the effect that transfers from a controller or processor in the European Economic Area (EEA) (7) to such organisations in Japan may take place without the need to obtain any further authorisation. This Decision does not affect the direct application of Regulation (EU) 2016/679 to such organisations when the conditions of its Article 3 are fulfilled.
(14)
Recently, by a Cabinet Decision adopted on 12 June 2018, the Japanese government amended the "Basic Policy". With a view to facilitating international data transfers, that Cabinet Decision delegates to the PPC, as the authority competent for administering and implementing the APPI, "the power to take the necessary action to bridge differences of the systems and operations between Japan and the concerned foreign country based on Article 6 of the Act in view of ensuring appropriate handling of personal information received from such country". The Cabinet Decision stipulates that this includes the power to establish enhanced protections through the adoption by the PPC of stricter rules supplementing and going beyond those laid down in the APPI and the Cabinet Order. Pursuant to that Decision, these stricter rules shall be binding and enforceable on Japanese business operators.
(48)
As regards transfers from the European Union, personal data will necessarily have been first collected and processed in the EU in compliance with Regulation (EU) 2016/679. This will always involve, on the one hand, collection and processing, including for the transfer from the European Union to Japan, on the basis of one of the legal grounds listed in Article 6(1) of the Regulation and, on the other hand, collection for a specific, explicit and legitimate purpose as well as the prohibition of further processing, including by way of a transfer, in a manner that is incompatible with such purpose as laid down in Articles 5(1)(b) and 6(4) of the Regulation.
(75)
The level of protection afforded to personal data transferred from the European Union to business operators in Japan must not be undermined by the further transfer of such data to recipients in a third country outside Japan. Such "onward transfers", which from the perspective of the Japanese business operator constitute international transfers from Japan, should be permitted only where the further recipient outside Japan is itself subject to rules ensuring a similar level of protection as guaranteed within the Japanese legal order.
(76)
A first protection is enshrined in Article 24 of the APPI which generally prohibits the transfer of personal data to a third party outside the territory of Japan without the prior consent of the individual concerned. Supplementary Rule (4) ensures that in the case of data transfers from the European Union such consent will be particularly well informed as it requires that the individual concerned shall be "provided information on the circumstances surrounding the transfer necessary for the principal to make a decision on his/her consent". On that basis, the data subject shall be informed of the fact that the data will be transferred abroad (outside the scope of application of the APPI) and of the specific country of destination. This will allow him/her to assess the risk for privacy involved with the transfer. Also, as can be inferred from Article 23 of the APPI (see recital 47), the information provided to the principal should cover the compulsory items under its paragraph 2, namely the categories of personal data provided to a third party and the method of disclosure.
(77)
Article 24 of the APPI, applied together with Article 11-2 of the PPC Rules, provides several exceptions to this consent-based rule. Furthermore, pursuant to Article 24, the same derogations as those applicable under Article 23(1) of the APPI apply also to international data transfers (46).
(78)
To ensure continuity of protection in case of personal data transferred from the European Union to Japan under this Decision, Supplementary Rule (4) enhances the level of protection for onward transfers of such data by the PIHBO to a third country recipient. It does so by limiting and framing the bases for international transfers that can be used by the PIHBO as an alternative to consent. More specifically, and without prejudice to the derogations set forth in Article 23(1) of the APPI, personal data transferred under this Decision may be subject to (onward) transfers without consent only in two cases: (i) where the data is sent to a third country which has been recognised by the PPC under Article 24 of the APPI as providing an equivalent level of protection to the one guaranteed in Japan (47); or (ii) where the PIHBO and the third party recipient have together implemented measures providing a level of protection equivalent to the APPI, read together with the Supplementary Rules, by means of a contract, other forms of binding agreements or binding arrangements within a corporate group. The second category corresponds to the instruments used under Regulation (EU) 2016/679 to ensure appropriate safeguards (in particular, contractual clauses and binding corporate rules). In addition, as confirmed by the PPC, even in those cases, the transfer remains subject to the general rules applicable to any provision of personal data to a third party under the APPI (i.e. the requirement to obtain consent under Article 23(1) or, alternatively, the information requirement with a possibility to opt out under Article 23(2) of the APPI). In case the data subject cannot be reached with a request for consent or in order to provide the required advance information under Article 23(2) of the APPI, the transfer may not take place.
(80)
Finally, a further safeguard in case of (onward) transfers follows from Articles 20 and 22 of the APPI. According to these provisions, where a third country operator (data importer) acts on behalf of the PIHBO (data exporter), that is as a (sub-) processor, the latter has to ensure supervision over the former as regards security of data processing.
(87)
Third, pursuant to Article 30(1) and (2) of the APPI a data subject has a right to request from a PIHBO to discontinue using personal information, or to delete such information, when it is handled in violation of Article 16 (regarding purpose limitation) or has been improperly acquired in violation of Article 17 of the APPI (regarding acquisition by deceit, other improper means or, in case of sensitive data, without consent). Likewise, under Article 30(3) and (4) of the APPI, the individual has a right to request from the PIHBO to cease the provision of the information to a third party where this would violate the provisions of Article 23(1) or Article 24 of the APPI (regarding third party provision, including international transfers).
(141)
Second, given that redress will naturally have to be sought abroad in a foreign system and in a foreign language, in order to facilitate redress for EU individuals whose personal data is transferred to business operators in Japan and then accessed by public authorities, the Japanese government has made use of its powers to create a specific mechanism, administered and supervised by PPC, for handling and resolving complaints in this field. That mechanism builds on the cooperation obligation imposed on Japanese public authorities under the APPI and the special role of the PPC with respect to international data transfers from third countries under Article 6 of the APPI and the Basic Policy (as established by the Japanese government through Cabinet Order). The details of this mechanism are set out in the official representations, assurances and commitments received from the Japanese government and attached to this Decision as Annex II. The mechanism is not subject to any standing requirement and is open to any individual, independently of whether (s)he is suspected or accused of a criminal offence.
(181)
To this end, this Decision should be subject to a first review within two years after its entry into force. Following that first review, and depending on its outcome, the Commission will decide in close consultation with the Committee established under Article 93(1) of the GDPR whether the two-year-cycle should be maintained. In any case, the subsequent reviews should take place at least every four years (151). The review should cover all aspects of the functioning of this Decision, and in particular the application of the Supplementary Rules (with special attention paid to protections afforded in case of onward transfers), the application of the rules on consent, including in case of withdrawal, the effectiveness of the exercise of individual rights, as well as the limitations and safeguards with respect to government access, including the redress mechanism as set out in Annex II to this Decision. It should also cover the effectiveness of oversight and enforcement, as regards the rules applicable to both PIHBOs and in the area of criminal law enforcement and national security.
(184)
Where, on the basis of the regular and ad hoc checks or any other information available, the Commission concludes that the level of protection afforded by the Japanese legal order can no longer be regarded as essentially equivalent to that in the European Union, it should inform the competent Japanese authorities thereof and request that appropriate measures be taken within a specified, reasonable timeframe. This includes the rules applicable to both business operators and Japanese public authorities responsible for criminal law enforcement or national security. For example, such a procedure would be triggered in cases where onward transfers, including on the basis of decisions adopted by the PPC under Article 24 of the APPI recognising a third country as providing an equivalent level of protection to the one guaranteed in Japan, will no longer be carried out under safeguards ensuring the continuity of protection within the meaning of Article 44 of the GDPR.
(185)
If, after the specified time period, the competent Japanese authorities fail to demonstrate satisfactorily that this Decision continues to be based on an adequate level of protection, the Commission should, in application of Article 45(5) of Regulation (EU) 2016/679, initiate the procedure leading to the partial or complete suspension or repeal of this Decision. Alternatively, the Commission should initiate the procedure to amend this Decision, in particular by subjecting data transfers to additional conditions or by limiting the scope of the adequacy finding only to data transfers for which the continuity of protection within the meaning of Article 44 of the GDPR is ensured.