
Article 1 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Article 2 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Article 3 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Article 4 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ANNEX 1
[Terms]
‘Act’The Act on the Protection of Personal Information (Act No. 57, 2003)‘Cabinet Order’Cabinet Order to Enforce the Act on the Protection of Personal Information (Cabinet Order No. 507, 2003)‘Rules’Enforcement Rules for the Act on the Protection of Personal Information (Rules of the Personal Information Protection Commission No. 3, 2016)"General Rules Guidelines"Guidelines for the Act on the Protection of Personal Information (Volume on General Rules) (Notice of the Personal Information Protection Commission No. 65, 2015)‘EU’European Union, including its Member States and, in the light of the EEA Agreement, Iceland, Liechtenstein and Norway‘GDPR’Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)‘adequacy decision’The European Commission’s decision that a third country or a territory within that third country, etc. ensures an adequate level of protection of personal data pursuant to Article 45 of the GDPR
The Personal Information Protection Commission, for the purpose of conducting mutual and smooth transfer of personal data between Japan and the EU, designated the EU as a foreign country establishing a personal information protection system recognized to have equivalent standards to that in Japan in regard to the protection of an individual’s rights and interests based on Article 24 of the Act and the European Commission concurrently decided that Japan ensures an adequate level of protection of personal data pursuant to Article 45 of the GDPR.
Hereby, mutual and smooth transfer of personal data will be conducted between Japan and the EU in a way that ensures a high level of protection of an individual’s rights and interests. In order to ensure that high level of protection regarding personal information received from the EU based on an adequacy decision and in light of the fact that, despite a high degree of convergence between the two systems, there are some relevant differences, the Personal Information Protection Commission has adopted these Supplementary Rules, based on the provisions of the Act concerning implementation etc. of cooperation with the governments in other countries and in view of ensuring appropriate handling of personal information received from the EU based on an adequacy decision by a personal information handling business operator and proper and effective implementation of the obligations laid down in such rules.
In particular, Article 6 of the Act provides for the power to take necessary legislative and other action with a view to ensure the enhanced protection of personal information and construct an internationally conformable system concerning personal information through stricter rules that supplement and go beyond those laid down in the Act and the Cabinet Order. Therefore, the Personal Information Protection Commission, as the authority competent for governing the overall administration of the Act, has the power to establish pursuant to Article 6 of the Act stricter regulations by formulating the present Supplementary Rules providing for a higher level of protection of an individual’s rights and interests regarding the handling of personal data received from the EU based on an adequacy decision, including with respect to the definition of special care-required personal information pursuant to Article 2, paragraph 3, of the Act and retained personal data pursuant to Article 2, paragraph 7, of the Act (including as to the relevant retention period).
On this basis, the Supplementary Rules are binding on a personal information handling business operator that receives personal data transferred from the EU based on an adequacy decision which is thus required to comply with them. As legally binding rules, any rights and obligations are enforceable by the Personal Information Protection Commission in the same way as the provisions of the Act that they supplement with stricter and/or more detailed rules. In case of infringement of the rights and obligations resulting from the Supplementary Rules, individuals can also obtain redress from courts in the same way as with respect to the provisions of the Act that they supplement with stricter and/or more detailed rules.
As regards enforcement by the Personal Information Protection Commission, in case a personal information handling business operator does not comply with one or several obligations under the Supplementary Rules, the Personal Information Protection Commission has the power to adopt measures pursuant to Article 42 of the Act. Regarding generally personal information received from the EU based on an adequacy decision, failure by a personal information handling business operator to take action in line with a recommendation received pursuant to Article 42, paragraph 1, of the Act, without legitimate ground, is considered as a serious infringement of an imminent nature of an individual’s rights and interests within the meaning of Article 42, paragraph 2, of the Act.

(1) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(2) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(3) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(4) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(5) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

ANNEX 2
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The following document provides an overview of the legal framework for the collection and use of personal (electronic) information by Japanese public authorities for criminal law enforcement and national security purposes (hereinafter referred to as "government access"), in particular as regards the available legal bases, applicable conditions (limitations) and safeguards, including independent oversight and individual redress possibilities. This representation is addressed to the European Commission with a view to express the commitment and provide assurances that government access to personal information transferred from the EU to Japan will be limited to what is necessary and proportionate, subject to independent oversight and that concerned individuals will be able to obtain redress in case of any possible violation of their fundamental right to privacy and data protection. This representation also provides for the creation of a new redress mechanism, administrated by the Personal Information Protection Commission (PPC), to handle complaints by EU individuals concerning government access to their personal data transferred from the EU to Japan.
 I. 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 II.  A)  1)  (a) 
According to Article 35 of the Constitution, the right of all persons to be secure in their homes, papers and effects against entries, searches and seizures shall not be impaired except upon a warrant issued for ‘adequate cause’ and particularly describing the place to be searched and things to be seized. Consequently, the compulsory collection of electronic information by public authorities in the context of a criminal investigation can only take place based on a warrant. This applies to both the collection of electronic records containing (personal) information and the real-time interception of communications (so-called wiretapping). The only exception to this rule (which however is not relevant in the context of an electronic transfer of personal information from abroad) is Article 220(1) of the Code of Criminal Procedure, according to which a public prosecutor, a public prosecutor's assistant officer or a judicial police official may, when arresting a suspect or "flagrant offender", if necessary carry out a search and seizure "on the spot at the arrest".

Article 197(1) of the Code of Criminal Procedure provides that compulsory measures of investigation "shall not be applied unless special provisions have been established in this Code". With respect to the compulsory collection of electronic information, the relevant legal bases in this regard are Article 218(1) of the Code of Criminal Procedure (according to which a public prosecutor, a public prosecutor's assistant officer or a judicial police official may, if necessary for the investigation of an offense, conduct a search, seizure or inspection upon a warrant issued by a judge) and Article 222-2 of the Code of Criminal Procedure (according to which compulsory measures for the interception of electronic communications without the consent of either party shall be executed based upon other Acts). The latter provision refers to the Act on Wiretapping for Criminal Investigation (Wiretapping Act), which in its Article 3(1) stipulates the conditions under which communications relating to certain serious crimes can be wiretapped based on a wiretapping warrant issued by a judge.

Regarding the police, the investigate authority lies in all cases with the Prefectural Police, whereas the National Police Agency (NPA) does not conduct any criminal investigations based on the Code of Criminal Procedure.
 (b) 
The compulsory collection of electronic information is limited by the Constitution and empowering statutes, as interpreted in case law, which in particular provide for the criteria to be applied by courts when issuing a warrant. In addition, the APPIHAO imposes a number of limitations applicable to both the collection and handling of information (while local ordinances reproduce essentially the same criteria for the Prefectural Police).
 (1) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 (2) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 2)  a) 
Aside from using compulsory means, personal information is obtained either from a source that can be freely accessed or based on voluntary disclosure, including by business operators holding such information.

As regards the latter, Article 197(2) of the Code of Criminal Procedure empowers the prosecution and judicial police to make "written inquiries on investigative matters" (so-called "enquiry sheets"). Under the Code of Criminal Procedure, the inquired persons are requested to report to investigative authorities. However, there is no way to force them to report, if the public offices, or the public and/or the private organizations, who received the inquiries, refuse to comply. If they do not report for the inquiries, no criminal punishment or other sanction can be imposed. If the investigative authorities consider the requested information indispensable, they will need to obtain the information through search and seizure based on a court warrant.

Given the growing awareness of individuals as regards their privacy rights, as well as the workload created by such requests, business operators are more and more cautious in answering such requests. In deciding whether to cooperate, business operators in particular take into account the nature of the information requested, their relationship with the person whose information is at stake, risks to their reputation, litigation risks, etc.
 b) 
As for the compulsory collection of electronic information, voluntary investigation is limited by the Constitution, as interpreted in case law, and the empowering statute. In addition, business operators are not legally allowed to disclose information in certain situations. Finally, the APPIHAO provides for a number of limitations applicable to both the collection and handling of information (while local ordinances reproduce essentially the same criteria for the Prefectural Police).
 (1) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 (2) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 (3) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 B)  1) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 2) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 3) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 4) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 C) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 III.  A.  1) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 2)  a)  (1) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 (2) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 (3) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 (4) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 b) 
As explained earlier in section II.A.2) b) (1) concerning criminal investigations, it follows from the case law of the Supreme Court that, in order to address a request for voluntary cooperation to a business operator, such a request must be necessary for the investigation of a suspected crime and must be reasonable in order to achieve the purpose of the investigation.

Although investigations conducted by investigative authorities in the area of national security differ from investigations conducted by investigative authorities in the area of law enforcement as regards both their legal basis and purpose, the central principles of ‘necessity for investigation’ and ‘appropriateness of method’ similarly apply in the area of national security and have to be complied with taking appropriate account of the specific circumstances of each case.

The combination of the above limitations ensures that the collection and processing of information takes place only to the extent necessary to the performance of specific duties of the competent public authority as well as on the basis of specific threats. This excludes mass and indiscriminate collection or access to personal information for national security reasons.
 B.  1) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 2) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 3) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 4) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 5) 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 C. 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 IV. 
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
