Oversight and enforcement 2.4.1. Independent oversight

In order to ensure that an adequate level of data protection is guaranteed also in practice, an independent supervisory authority tasked with powers to monitor and enforce compliance with the data protection rules should be in place. This authority should act with complete independence and impartiality in performing its duties and exercising its powers.

In Japan, the authority in charge of monitoring and enforcing the APPI is the PPC. It is composed of a Chairperson and eight Commissioners appointed by the Prime Minister with the consent of both Houses of the Diet. The term of office for the Chairperson and each of the Commissioners is five years, with the possibility for reappointment (Article 64 of the APPI). Commissioners may only be dismissed for good cause in a limited set of exceptional circumstances (57) and must not be actively engaged in political activities. Moreover, under the APPI, full-time Commissioners must abstain from any other remunerated activities, or business activities. All Commissioners are also subject to internal rules preventing them from participation in deliberations in case of a possible conflict of interests. The PPC is assisted by a Secretariat, led by a Secretary-General, that has been established for the purpose of carrying out the tasks assigned to the PPC (Article 70 of the APPI). Both the Commissioners and all officials in the Secretariat are bound by strict rules of secrecy (Articles 72, 82 of the APPI).

The powers of the PPC, which it exercises in full independence (58), are mainly provided for in Articles 40, 41 and 42 of the APPI. Under Article 40, the PPC may request PIHBOs to report or submit documents on processing operations and may also carry out inspections, both on-site and of books or other documents. To the extent necessary to enforce the APPI, the PPC may also provide PIHBOs with guidance or advice as regards the handling of personal information. The PPC has already made use of this power under Article 41 APPI by addressing guidance to Facebook, following the Facebook/Cambridge Analytica revelations.

Most importantly, the PPC has the power – acting on a complaint or its own initiative – to issue recommendations and orders in order to enforce the APPI and other binding rules (including the Supplementary Rules) in individual cases. Those powers are laid down in Article 42 of the APPI. While its paragraphs 1 and 2 provide for a two-step mechanism whereby the PPC may issue an order (only) following a prior recommendation, paragraph 3 allows for the direct adoption of an order in cases of urgency.

Although not all provisions of Chapter IV, Section 1 of the APPI are listed in Article 42(1) – which also determines the scope of application of Article 42(2) – this can be explained by the fact that certain of those provisions do not concern obligations of the PIHBO (59) and that all essential protections are already afforded by other provisions that are included in that list. For instance, although Article 15 (requiring the PIHBO to set the utilisation purpose and process the relevant personal information exclusively within its scope) is not mentioned, failure to observe this requirement can give ground to a recommendation based on a violation of Article 16(1) (prohibiting the PIHBO to process personal information beyond what is necessary to achieve the utilisation purpose, unless it obtains the data subject's consent) (60). Another provision not listed in Article 42(1) is Article 19 of the APPI on data accuracy and retention. Non-compliance with that provision can be enforced either as a violation of Article 16(1) or based on a violation of Article 29(2), if the individual concerned asks for the correction or deletion of erroneous or excessive data and the PIHBO refuses to satisfy the request. As regards the rights of the data subject according to Articles 28(1), 29(1) and 30(1), oversight by the PPC is ensured by granting it enforcement powers with respect to the corresponding obligations of the PIHBO laid down in those Articles.

Pursuant to Article 42(1) of the APPI, the PPC can, if it recognizes that there is a "need for protecting an individual's rights and interests in cases where a [PIHBO] has violated" specific APPI provisions, issue a recommendation to "suspend the act of violating or take other necessary action to rectify the violation". Such a recommendation is not binding, but opens the way for a binding order pursuant to Article 42(2) of the APPI. Based on this provision, if the recommendation is not followed "without legitimate grounds" and the PPC "recognises that a serious infringement of an individual's rights and interests is imminent", it can order the PIHBO to take action in line with the recommendation.

The Supplementary Rules further clarify and strengthen the PPC's enforcement powers. More specially, in cases involving data imported from the European Union, the PPC will always consider a PIHBO's failure to take action in line with a recommendation issued by the APPI pursuant to Article 42(1), without legitimate ground, as a serious infringement of an imminent nature of an individual's rights and interests within the meaning of Article 42(2), and therefore as an infringement warranting the issuance of a binding order. Moreover, as a "legitimate ground" for not complying with a recommendation the PPC will only accept an "event of an extraordinary nature [preventing compliance] outside the control of the [PIHBO] which cannot be reasonably foreseen (for example, natural disasters)" or cases where the necessity to take action concerning a recommendation "has disappeared because the [PIHBO] has taken alternative action that fully remedies the violation".

Non-compliance with a PPC order is considered as a criminal offence under Article 84 of the APPI and a PIHBO found guilty can be punished by imprisonment with labour for up to six months or a fine of up to 300 000 yen. Furthermore, pursuant to Article 85(i) of the APPI, lack of cooperation with the PPC or obstruction to its investigation is punishable with a fine of up to 300 000 yen. These criminal sanctions apply in addition to those that may be imposed for substantive violations of the APPI (see recital 108).