On the basis of Article 6 of the APPI and that Cabinet Decision, the PPC on 15 June 2018 adopted "Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU based on an Adequacy Decision" (the "Supplementary Rules") with a view to enhance the protection of personal information transferred from the European Union to Japan based on the present adequacy decision. Those Supplementary Rules are legally binding on Japanese business operators and enforceable, both by the PPC and by courts, in the same way as the provisions of the APPI that the Rules supplement with stricter and/or more detailed rules (12). As Japanese business operators receiving and/or further processing personal data from the European Union will be under a legal obligation to comply with the Supplementary Rules, they will need to ensure (e.g. by technical ("tagging") or organisational means (storing in a dedicated database)) that they can identify such personal data throughout their "life cycle" (13). In the following sections, the content of each Supplementary Rule is analysed as part of the assessment of the articles of the APPI it complements.

Under the accountability principle, entities processing data are required to put in place appropriate technical and organisational measures to effectively comply with their data protection obligations and be able to demonstrate such compliance, in particular to the competent supervisory authority.

The Supplementary Rules further clarify and strengthen the PPC's enforcement powers. More specially, in cases involving data imported from the European Union, the PPC will always consider a PIHBO's failure to take action in line with a recommendation issued by the APPI pursuant to Article 42(1), without legitimate ground, as a serious infringement of an imminent nature of an individual's rights and interests within the meaning of Article 42(2), and therefore as an infringement warranting the issuance of a binding order. Moreover, as a "legitimate ground" for not complying with a recommendation the PPC will only accept an "event of an extraordinary nature [preventing compliance] outside the control of the [PIHBO] which cannot be reasonably foreseen (for example, natural disasters)" or cases where the necessity to take action concerning a recommendation "has disappeared because the [PIHBO] has taken alternative action that fully remedies the violation".

Third, in addition to civil law (tort) remedies, a data subject may file a complaint with a public prosecutor or judicial police official with respect to APPI violations that can lead to criminal sanctions. Chapter VII of the APPI contains a number of penal provisions. The most important one (Article 84) relates to non-compliance by the PIHBO with PPC orders pursuant to Article 42(2) and (3). If a business operator fails to comply with an order issued by the PPC, the PPC Chair (as well as any other government official) (66) may forward the case to the public prosecutor or judicial police official and in that way trigger the opening of a criminal procedure. The penalty for the violation of a PPC order is imprisonment with labour for up to six months or a fine of up to 300 000 yen. Other provisions of the APPI providing for sanctions in case of APPI violations affecting the rights and interests of data subjects include Article 83 of the APPI (regarding the "providing or using by stealth" of a personal information database "for the purpose of seeking […] illegal profits") and Article 88(i) of the APPI (regarding the failure by a third party to correctly inform the PIHBO when the latter receives personal data in accordance with Article 26(1) of the APPI, in particular on the details of the third party's own, prior acquisition of such data). The applicable penalties for such violations of the APPI are, respectively, imprisonment with work for up to one year or a fine of up to 500 000 yen (in case of Article 83) or an administrative fine of up to 100 000 yen (in case of Article 88(i)). While the threat of a criminal sanction is already likely to have a strong deterrent effect on the business management that directs the PIHBO's processing operations as well as on the individuals handling the data, Article 87 of the APPI clarifies that when a representative, employee or other worker of a corporate body has committed a violation pursuant to Articles 83 to 85 of the APPI, "the actor shall be punished and a fine set forth in the respective Articles shall be imposed on the said corporate body". In this case, both the employee and the company can be imposed sanctions up to the full maximum amount.

To the extent such a request is directed at a business operator and concerns personal information, the business operator has to comply with the requirements of the APPI. According to Article 23(1) of the APPI, business operators may disclose personal information to third parties without consent of the individual concerned only in certain cases, including where the disclosure is "based on laws and regulations" (89). In the area of criminal law enforcement, the legal basis for such requests is provided by Article 197(2) of the CCP according to which "private organisations may be asked to report on necessary matters relating to the investigation." Since such an "enquiry sheet" is permissible only as part of a criminal investigation, it always presupposes a concrete suspicion of an already committed crime (90). Moreover, since such investigations are generally carried out by the Prefectural Police, the limitations pursuant to Article 2(2) of the Police Law (91) apply. According to that provision, the activities of the police are "strictly limited" to the fulfilment of their responsibilities and duties (that is to say the prevention, suppression and investigation of crimes). Moreover, in performing its duties, the police shall act in an impartial, unprejudiced and fair manner and must never abuse its powers "in such a way as to interfere with the rights and liberties of an individual guaranteed in the Constitution of Japan" (which include, as indicated, the right to privacy and data protection) (92).

Second, according to Article 62 of the Constitution, each House of the Japanese parliament (the Diet) may conduct investigations in relation to the government, including with respect to the lawfulness of information collection by the police. To that end, it may demand the presence and testimony of witnesses, and/or the production of records. Those powers of inquiry are further specified in the Diet Law, in particular Chapter XII. In particular, Article 104 of the Diet Law provides that the Cabinet, public agencies and other parts of the government "must comply with the requests of a House or any of its Committees for the production of reports and records necessary for consideration of investigation." Refusal to comply is allowed only if the government provides a plausible reason found acceptable by the Diet, or upon issuance of a formal declaration that the production of the reports or records would be "gravely detrimental to the national interest" (106). In addition, Diet members may ask written questions to the Cabinet (Articles 74, 75 of the Diet Law), and in the past such "written inquiries" have also addressed the handling of personal information by the administration (107). The Diet's role in supervising the executive is supported by reporting obligations, for instance pursuant to Article 29 of the Wiretapping Act.

Also, according to the information received only four government entities are empowered to collect electronic information held by Japanese business operators on national security grounds, namely: (i) the Cabinet Intelligence & Research Office (CIRO); (ii) the Ministry of Defence ("MOD"); (iii) the police (both National Police Agency (NPA) (125) and Prefectural Police); and (iv) the Public Security Intelligence Agency ("PSIA"). However, the CIRO never collects information directly from business operators, including by means of interception of communications. Where it receives information from other government authorities in order to provide analysis to the Cabinet, these other authorities in turn have to comply with the law, including the limitations and safeguards analysed in this Decision. Its activities are thus not relevant in a transfer context.

Member States and their organs are required to take the measures necessary to comply with acts of the Union institutions, as the latter are presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality. Consequently, a Commission adequacy decision adopted pursuant to Article 45(3) of Regulation (EU) 2016/679 is binding on all organs of the Member States to which it is addressed, including their independent supervisory authorities. At the same time, as explained by the Court of Justice in the Schrems judgment (148) and recognised in Article 58(5) of the Regulation, where a DPA questions, including upon a complaint, the compatibility of a Commission adequacy decision with the fundamental rights of the individual to privacy and data protection, national law must provide it with a legal remedy to put those objections before a national court which, in case of doubts, must stay proceedings and make a reference for a preliminary ruling to the Court of Justice (149).

In particular, the Commission should initiate the procedure for suspension or repeal in case of indications that the Supplementary Rules contained in Annex I are not complied with by business operators receiving personal data under this Decision and/or are not effectively enforced, or that the Japanese authorities fail to comply with the representations, assurances and commitments contained in Annex II to this Decision.