The Commission has carefully analysed Japanese law and practice. Based on the findings developed in recitals 6 to 175, the Commission concludes that Japan ensures an adequate level of protection for personal data transferred to organisations falling within the scope of application of the Act on the Protection of Personal Information (5) and subject to the additional conditions referred to in this Decision. These conditions are laid down in the Supplementary Rules (Annex I) adopted by the Personal Information Protection Commission (PPC) (6) and the official representations, assurances and commitments by the Japanese government to the European Commission (Annex II).

Article 13 of the Constitution states:

"All of the people shall be respected as individuals. Their right to life, liberty, and the pursuit of happiness shall, to the extent that it does not interfere with the public welfare, be the supreme consideration in legislation and in other governmental affairs."

Moreover, on 28 October 2016 the Cabinet of Japan (consisting of the Prime Minister and the Ministers forming his government) issued a "Basic Policy" to "comprehensively and integrally promote measures concerning the protection of personal information". Pursuant to Article 7 of the APPI, the "Basic Policy" is issued in the form of a Cabinet Decision and includes policy orientations concerning the enforcement of the APPI, directed to both the central government and local governments.

Recently, by a Cabinet Decision adopted on 12 June 2018, the Japanese government amended the "Basic Policy". With a view to facilitating international data transfers, that Cabinet Decision delegates to the PPC, as the authority competent for administering and implementing the APPI, "the power to take the necessary action to bridge differences of the systems and operations between Japan and the concerned foreign country based on Article 6 of the Act in view of ensuring appropriate handling of personal information received from such country". The Cabinet Decision stipulates that this includes the power to establish enhanced protections through the adoption by the PPC of stricter rules supplementing and going beyond those laid down in the APPI and the Cabinet Order. Pursuant to that Decision, these stricter rules shall be binding and enforceable on Japanese business operators.

Concerning its personal scope, the APPI applies only to PIHBOs. A PIHBO is defined in Article 2(5) of the APPI as "a person providing a personal information database etc. for use in business", with the exclusion of the government and administrative agencies at both central and local level.

Before or instead of seeking administrative or judicial redress, an individual may decide to submit a complaint about the processing of his/her personal data to the controller itself. Based on Article 35 of the APPI, PIHBOs shall endeavour to deal with such complaints "appropriately and promptly" and establish internal complaint-handling systems to achieve this objective. In addition, under Article 61(ii) of the APPI the PPC is responsible for the "necessary mediation on a lodged complaint and cooperation offered to a business operator who deals with the complaint", which in both cases includes complaints submitted by foreigners. In this regard, the Japanese legislator has also entrusted the central government with the task of taking "necessary action" to enable and facilitate the resolution of complaints by PIHBOs (Article 9), while local governments shall endeavour to ensure mediation in such cases (Article 13). In that respect, individuals may lodge a complaint with one of the more than 1 700 consumer centres established by local governments based on the Consumer Safety Act (61), in addition to the possibility of lodging a complaint with the National Consumer Affairs Centre of Japan. Such complaints may also be brought with respect to a violation of the APPI. Under Article 19 of the Basic Consumer Act (62), local governments shall endeavour to engage in mediation with respect to complaints and provide the parties with necessary expertise. Those dispute resolution mechanisms appear quite effective, with a resolution rate of 91,2 % concerning more than 75 000 complaint cases in 2015.

Third, in addition to civil law (tort) remedies, a data subject may file a complaint with a public prosecutor or judicial police official with respect to APPI violations that can lead to criminal sanctions. Chapter VII of the APPI contains a number of penal provisions. The most important one (Article 84) relates to non-compliance by the PIHBO with PPC orders pursuant to Article 42(2) and (3). If a business operator fails to comply with an order issued by the PPC, the PPC Chair (as well as any other government official) (66) may forward the case to the public prosecutor or judicial police official and in that way trigger the opening of a criminal procedure. The penalty for the violation of a PPC order is imprisonment with labour for up to six months or a fine of up to 300 000 yen. Other provisions of the APPI providing for sanctions in case of APPI violations affecting the rights and interests of data subjects include Article 83 of the APPI (regarding the "providing or using by stealth" of a personal information database "for the purpose of seeking […] illegal profits") and Article 88(i) of the APPI (regarding the failure by a third party to correctly inform the PIHBO when the latter receives personal data in accordance with Article 26(1) of the APPI, in particular on the details of the third party's own, prior acquisition of such data). The applicable penalties for such violations of the APPI are, respectively, imprisonment with work for up to one year or a fine of up to 500 000 yen (in case of Article 83) or an administrative fine of up to 100 000 yen (in case of Article 88(i)). While the threat of a criminal sanction is already likely to have a strong deterrent effect on the business management that directs the PIHBO's processing operations as well as on the individuals handling the data, Article 87 of the APPI clarifies that when a representative, employee or other worker of a corporate body has committed a violation pursuant to Articles 83 to 85 of the APPI, "the actor shall be punished and a fine set forth in the respective Articles shall be imposed on the said corporate body". In this case, both the employee and the company can be imposed sanctions up to the full maximum amount.

The Commission has also assessed the limitations and safeguards, including the oversight and individual redress mechanisms available in Japanese law as regards the collection and subsequent use of personal data transferred to business operators in Japan by public authorities for public interest, in particular criminal law enforcement and national security purposes ("government access"). In this respect, the Japanese government has provided the Commission with official representations, assurances and commitments signed at the highest ministerial and agency level that are contained in Annex II to this Decision.

As an exercise of public authority, government access in Japan must be carried out in full respect of the law (legality principle). In this regard, the Constitution of Japan contains provisions limiting and framing the collection of personal data by public authorities. As already mentioned with respect to processing by business operators, basing itself on Article 13 of the Constitution which among others protects the right to liberty, the Supreme Court of Japan has recognised the right to privacy and data protection (72). One important aspect of that right is the freedom not to have one's personal information disclosed to a third party without permission (73). This implies a right to the effective protection of personal data against abuse and (in particular) illegal access. Additional protection is ensured by Article 35 of the Constitution on the right of all persons to be secure in their homes, papers and effects, which requires from public authorities to obtain a court warrant issued for "adequate cause" (74) in all cases of "searches and seizures". In its judgment of 15 March 2017 (GPS case), the Supreme Court has clarified that this warrant requirement applies whenever the government invades ("enters into") the private sphere in a way that suppresses the individual's will and thus by means of a "compulsory investigation". A judge may only issue such warrant based on a concrete suspicion of crimes, i.e. when provided with documentary evidence based on which the person concerned by the investigation can be considered as having committed a criminal offence (75). Consequently, Japanese authorities have no legal authority to collect personal information by compulsory means in situations where no violation of the law has yet occurred (76), for example in order to prevent a crime or other security threat (as is the case for investigations on grounds of national security).

Second, according to Article 62 of the Constitution, each House of the Japanese parliament (the Diet) may conduct investigations in relation to the government, including with respect to the lawfulness of information collection by the police. To that end, it may demand the presence and testimony of witnesses, and/or the production of records. Those powers of inquiry are further specified in the Diet Law, in particular Chapter XII. In particular, Article 104 of the Diet Law provides that the Cabinet, public agencies and other parts of the government "must comply with the requests of a House or any of its Committees for the production of reports and records necessary for consideration of investigation." Refusal to comply is allowed only if the government provides a plausible reason found acceptable by the Diet, or upon issuance of a formal declaration that the production of the reports or records would be "gravely detrimental to the national interest" (106). In addition, Diet members may ask written questions to the Cabinet (Articles 74, 75 of the Diet Law), and in the past such "written inquiries" have also addressed the handling of personal information by the administration (107). The Diet's role in supervising the executive is supported by reporting obligations, for instance pursuant to Article 29 of the Wiretapping Act.

Second, given that redress will naturally have to be sought abroad in a foreign system and in a foreign language, in order to facilitate redress for EU individuals whose personal data is transferred to business operators in Japan and then accessed by public authorities, the Japanese government has made use of its powers to create a specific mechanism, administered and supervised by PPC, for handling and resolving complaints in this field. That mechanism builds on the cooperation obligation imposed on Japanese public authorities under the APPI and the special role of the PPC with respect to international data transfers from third countries under Article 6 of the APPI and the Basic Policy (as established by the Japanese government through Cabinet Order). The details of this mechanism are set out in the official representations, assurances and commitments received from the Japanese government and attached to this Decision as Annex II. The mechanism is not subject to any standing requirement and is open to any individual, independently of whether (s)he is suspected or accused of a criminal offence.

With respect to all those redress avenues, the dispute resolution mechanism created by the Japanese government provides that an individual who is still dissatisfied with the outcome of the procedure can address the PPC "which shall inform the individual of the various possibilities and detailed procedures for obtaining redress under Japanese laws and regulations." Moreover, the PPC "will provide the individual with support, including counselling and assistance in bringing any further action to the relevant administrative or judicial body."

Also, according to the information received only four government entities are empowered to collect electronic information held by Japanese business operators on national security grounds, namely: (i) the Cabinet Intelligence & Research Office (CIRO); (ii) the Ministry of Defence ("MOD"); (iii) the police (both National Police Agency (NPA) (125) and Prefectural Police); and (iv) the Public Security Intelligence Agency ("PSIA"). However, the CIRO never collects information directly from business operators, including by means of interception of communications. Where it receives information from other government authorities in order to provide analysis to the Cabinet, these other authorities in turn have to comply with the law, including the limitations and safeguards analysed in this Decision. Its activities are thus not relevant in a transfer context.

The collection of personal information for national security purposes is subject to several layers of oversight from the three branches of government.

As is the case for investigations in the area of criminal law enforcement, also in the area of national security individuals may obtain individual redress by directly contacting the PPC. This will trigger the specific dispute resolution procedure that the Japanese government has created for EU individuals whose personal data is transferred under this Decision (see detailed explanations in recitals 141 to 144, 149).

Finally, on the basis of the available information about the Japanese legal order, including the representations, assurances and commitments from the Japanese government contained in Annex II, the Commission considers that any interference with the fundamental rights of the individuals whose personal data are transferred from the European Union to Japan by Japanese public authorities for public interest purposes, in particular criminal law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.

To this end, this Decision should be subject to a first review within two years after its entry into force. Following that first review, and depending on its outcome, the Commission will decide in close consultation with the Committee established under Article 93(1) of the GDPR whether the two-year-cycle should be maintained. In any case, the subsequent reviews should take place at least every four years (151). The review should cover all aspects of the functioning of this Decision, and in particular the application of the Supplementary Rules (with special attention paid to protections afforded in case of onward transfers), the application of the rules on consent, including in case of withdrawal, the effectiveness of the exercise of individual rights, as well as the limitations and safeguards with respect to government access, including the redress mechanism as set out in Annex II to this Decision. It should also cover the effectiveness of oversight and enforcement, as regards the rules applicable to both PIHBOs and in the area of criminal law enforcement and national security.

To perform the review, the Commission should meet with the PPC, accompanied, where appropriate, by other Japanese authorities responsible for government access, including relevant oversight bodies. The participation in this meeting should be open to representatives of the members of the European Data Protection Board (EDPB). In the framework of the Joint Review, the Commission should request the PPC to provide comprehensive information on all aspects relevant for the adequacy finding, including on the limitations and safeguards concerning government access (152). The Commission should also seek explanations on any information relevant for this Decision that it has received, including public reports by Japanese authorities or other stakeholders in Japan, the EDPB, individual DPAs, civil society groups, media reports, or any other available source of information.