As specified in Article 45(2) of Regulation (EU) 2016/679, the adoption of an adequacy decision has to be based on a comprehensive analysis of the third country's legal order, with respect to both the rules applicable to the data importers and the limitations and safeguards as regards access to personal data by public authorities. The assessment has to determine whether the third country in question guarantees a level of protection "essentially equivalent" to that ensured within the European Union (recital 104 of Regulation (EU) 2016/679). As clarified by the Court of Justice of the European Union, this does not require an identical level of protection (2). In particular, the means to which the third country in question has recourse may differ from the ones employed in the European Union, as long as they prove, in practice, effective for ensuring an adequate level of protection (3). The adequacy standard therefore does not require a point-to-point replication of Union rules. Rather, the test lies in whether, through the substance of privacy rights and their effective implementation, supervision and enforcement, the foreign system as a whole delivers the required level of protection (4).

The two latter acts (amended in 2016) contain provisions applicable to the protection of personal information by public sector entities. Data processing falling within the scope of application of those acts is not the object of the adequacy finding contained in this Decision, which is limited to the protection of personal information by "Personal Information Handling Business Operators" (PIHBOs) within the meaning of the APPI.

On the basis of Article 6 of the APPI and that Cabinet Decision, the PPC on 15 June 2018 adopted "Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU based on an Adequacy Decision" (the "Supplementary Rules") with a view to enhance the protection of personal information transferred from the European Union to Japan based on the present adequacy decision. Those Supplementary Rules are legally binding on Japanese business operators and enforceable, both by the PPC and by courts, in the same way as the provisions of the APPI that the Rules supplement with stricter and/or more detailed rules (12). As Japanese business operators receiving and/or further processing personal data from the European Union will be under a legal obligation to comply with the Supplementary Rules, they will need to ensure (e.g. by technical ("tagging") or organisational means (storing in a dedicated database)) that they can identify such personal data throughout their "life cycle" (13). In the following sections, the content of each Supplementary Rule is analysed as part of the assessment of the articles of the APPI it complements.

By contrast, this distinction will not be relevant for personal data imported from the European Union to Japan on the basis of an adequacy decision. As such data will typically be transferred by electronic means (given that in the digital era this is the usual way of exchanging data, especially over a large distance as between the EU and Japan), and hence become part of the data importer's electronic filing system, such EU data will fall into the category of "personal data" under the APPI. In the exceptional case that personal data would be transferred from the EU by other means (e.g. in paper form), it will still be covered by the APPI if following the transfer it becomes part of a "collective body of information" systematically organised so as to allow easy search for specific information (Article 2(4)(ii) APPI). According to Article 3(2) of the Cabinet Order, this will be the case where the information is arranged "according to a certain rule" and the database includes tools such as for instance a table of contents or index to facilitate the search. This corresponds to the definition of a "filing system" within the meaning of Article 2(1) of the GDPR.

When it comes to personal information acquired from another business operator, the PIHBO is, in principle, free to set a new utilisation purpose (28). In order to ensure that, in case of a transfer from the European Union, such a recipient is bound by the purpose for which the data was transferred, Supplementary Rule (3) requires that, in cases "where a [PIHBO] receives personal data from the EU based on an adequacy decision" or such an operator "receives from another [PIHBO] personal data previously transferred from the EU based on an adequacy decision" (onward sharing), the recipient has to "specify the purpose of utilising the said personal data within the scope of the utilisation purpose for which the data was originally or subsequently received". In other words, the rule ensures that in a transfer context the purpose specified pursuant to Regulation (EU) 2016/679 continues to determine the processing, and that a change of that purpose at any stage of the processing chain in Japan would require the consent of the EU data subject. While obtaining this consent requires the PIHBO to contact the data subject, where this is not possible the consequence is simply that the original purpose has to be maintained.

On this basis, the Commission concludes that the adequacy standard of Article 45 of Regulation (EU) 2016/679, interpreted in light of the Charter of Fundamental Rights of the European Union, in particular in the Schrems judgment (146), is met.

According to the case law of the Court of Justice (147), and as recognized in Article 45(4) of Regulation (EU) 2016/679, the Commission should continuously monitor relevant developments in the third country after the adoption of an adequacy decision in order to assess whether Japan still ensures an essentially equivalent level of protection. Such a check is required, in any event, when the Commission receives information giving rise to a justified doubt in that respect.

Member States and their organs are required to take the measures necessary to comply with acts of the Union institutions, as the latter are presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality. Consequently, a Commission adequacy decision adopted pursuant to Article 45(3) of Regulation (EU) 2016/679 is binding on all organs of the Member States to which it is addressed, including their independent supervisory authorities. At the same time, as explained by the Court of Justice in the Schrems judgment (148) and recognised in Article 58(5) of the Regulation, where a DPA questions, including upon a complaint, the compatibility of a Commission adequacy decision with the fundamental rights of the individual to privacy and data protection, national law must provide it with a legal remedy to put those objections before a national court which, in case of doubts, must stay proceedings and make a reference for a preliminary ruling to the Court of Justice (149).

In application of Article 45(3) of Regulation (EU) 2016/679 (150), and in the light of the fact that the level of protection afforded by the Japanese legal order may be liable to change, the Commission, following the adoption of this Decision, should periodically check whether the findings relating to the adequacy of the level of protection ensured by Japan are still factually and legally justified.

To perform the review, the Commission should meet with the PPC, accompanied, where appropriate, by other Japanese authorities responsible for government access, including relevant oversight bodies. The participation in this meeting should be open to representatives of the members of the European Data Protection Board (EDPB). In the framework of the Joint Review, the Commission should request the PPC to provide comprehensive information on all aspects relevant for the adequacy finding, including on the limitations and safeguards concerning government access (152). The Commission should also seek explanations on any information relevant for this Decision that it has received, including public reports by Japanese authorities or other stakeholders in Japan, the EDPB, individual DPAs, civil society groups, media reports, or any other available source of information.

If, after the specified time period, the competent Japanese authorities fail to demonstrate satisfactorily that this Decision continues to be based on an adequate level of protection, the Commission should, in application of Article 45(5) of Regulation (EU) 2016/679, initiate the procedure leading to the partial or complete suspension or repeal of this Decision. Alternatively, the Commission should initiate the procedure to amend this Decision, in particular by subjecting data transfers to additional conditions or by limiting the scope of the adequacy finding only to data transfers for which the continuity of protection within the meaning of Article 44 of the GDPR is ensured.

The European Parliament has adopted a resolution on a digital trade strategy that calls on the Commission to prioritise and speed up the adoption of adequacy decisions with important trading partners under the conditions laid down in Regulation (EU) 2016/679, as an important mechanism to safeguard the transfer of personal data from the European Union (155). The European Parliament has also adopted a resolution on the adequacy of the protection of personal data afforded by Japan (156).