PERIODIC REVIEW OF THE ADEQUACY FINDING
In application of Article 45(3) of Regulation (EU) 2016/679 (150), and in the light of the fact that the level of protection afforded by the Japanese legal order may be liable to change, the Commission, following the adoption of this Decision, should periodically check whether the findings relating to the adequacy of the level of protection ensured by Japan are still factually and legally justified.
To this end, this Decision should be subject to a first review within two years after its entry into force. Following that first review, and depending on its outcome, the Commission will decide in close consultation with the Committee established under Article 93(1) of the GDPR whether the two-year-cycle should be maintained. In any case, the subsequent reviews should take place at least every four years (151). The review should cover all aspects of the functioning of this Decision, and in particular the application of the Supplementary Rules (with special attention paid to protections afforded in case of onward transfers), the application of the rules on consent, including in case of withdrawal, the effectiveness of the exercise of individual rights, as well as the limitations and safeguards with respect to government access, including the redress mechanism as set out in Annex II to this Decision. It should also cover the effectiveness of oversight and enforcement, as regards the rules applicable to both PIHBOs and in the area of criminal law enforcement and national security.
To perform the review, the Commission should meet with the PPC, accompanied, where appropriate, by other Japanese authorities responsible for government access, including relevant oversight bodies. The participation in this meeting should be open to representatives of the members of the European Data Protection Board (EDPB). In the framework of the Joint Review, the Commission should request the PPC to provide comprehensive information on all aspects relevant for the adequacy finding, including on the limitations and safeguards concerning government access (152). The Commission should also seek explanations on any information relevant for this Decision that it has received, including public reports by Japanese authorities or other stakeholders in Japan, the EDPB, individual DPAs, civil society groups, media reports, or any other available source of information.
On the basis of the Joint Review, the Commission should prepare a public report to be submitted to the European Parliament and the Council.