(33)
According to the PPC Guidelines, "business" means any "conduct aimed at exercising, for a certain goal, regardless of whether or not for profit, repeatedly and continuously, a socially recognised enterprise". Organisations without legal personality (such as de facto associations) or individuals are considered as a PIHBO if they provide (use) a personal information database etc. for their business (23). Therefore, the notion of "business" under the APPI is very broad in that it includes not only for-profit but also not-for-profit activities by all kinds of organisations and individuals. Moreover, "use in business" also covers personal information that is not used in the operator's (external) commercial relationships, but internally, for instance the processing of employee data.
(59)
Furthermore, whenever personal information is handled by employees or sub-contractors, "necessary and appropriate supervision" must be ensured under Articles 20 and 21 of the APPI for security control purposes. Finally, pursuant to Article 83 of the APPI, intentional leakage or theft of personal information is punishable by a sanction of up to one year of imprisonment.
(108)
Third, in addition to civil law (tort) remedies, a data subject may file a complaint with a public prosecutor or judicial police official with respect to APPI violations that can lead to criminal sanctions. Chapter VII of the APPI contains a number of penal provisions. The most important one (Article 84) relates to non-compliance by the PIHBO with PPC orders pursuant to Article 42(2) and (3). If a business operator fails to comply with an order issued by the PPC, the PPC Chair (as well as any other government official) (66) may forward the case to the public prosecutor or judicial police official and in that way trigger the opening of a criminal procedure. The penalty for the violation of a PPC order is imprisonment with labour for up to six months or a fine of up to 300 000 yen. Other provisions of the APPI providing for sanctions in case of APPI violations affecting the rights and interests of data subjects include Article 83 of the APPI (regarding the "providing or using by stealth" of a personal information database "for the purpose of seeking […] illegal profits") and Article 88(i) of the APPI (regarding the failure by a third party to correctly inform the PIHBO when the latter receives personal data in accordance with Article 26(1) of the APPI, in particular on the details of the third party's own, prior acquisition of such data). The applicable penalties for such violations of the APPI are, respectively, imprisonment with work for up to one year or a fine of up to 500 000 yen (in case of Article 83) or an administrative fine of up to 100 000 yen (in case of Article 88(i)). While the threat of a criminal sanction is already likely to have a strong deterrent effect on the business management that directs the PIHBO's processing operations as well as on the individuals handling the data, Article 87 of the APPI clarifies that when a representative, employee or other worker of a corporate body has committed a violation pursuant to Articles 83 to 85 of the APPI, "the actor shall be punished and a fine set forth in the respective Articles shall be imposed on the said corporate body". In this case, both the employee and the company can be imposed sanctions up to the full maximum amount.