The Commission has carefully analysed Japanese law and practice. Based on the findings developed in recitals 6 to 175, the Commission concludes that Japan ensures an adequate level of protection for personal data transferred to organisations falling within the scope of application of the Act on the Protection of Personal Information (5) and subject to the additional conditions referred to in this Decision. These conditions are laid down in the Supplementary Rules (Annex I) adopted by the Personal Information Protection Commission (PPC) (6) and the official representations, assurances and commitments by the Japanese government to the European Commission (Annex II).

On 30 May 2003, Japan enacted a series of laws in the area of data protection:

—

The Act on the Protection of Personal Information (APPI);

—

The Act on the Protection of Personal Information Held by Administrative Organs (APPIHAO);

—

The Act on the Protection of Personal Information Held by Incorporated Administrative Agencies (APPI-IAA).

Unlike before the 2015 amendment when this fell into the competence of various Japanese Ministries in specific sectors, the APPI empowers the PPC to adopt "Guidelines" "to ensure the proper and effective implementation of action to be taken by a business operator" under the data protection rules. Through its Guidelines, PPC provides an authoritative interpretation of those rules, in particular the APPI. According to the information received from the PPC, those Guidelines form an integral part of the legal framework, to be read together with the text of the APPI, the Cabinet Order, the PPC Rules and a set of Q&A (14) prepared by PPC. They are therefore "binding on business operators". Where the Guidelines state that a business operator "must" or "should not" act in a specified way, the PPC will consider that non-compliance with the relevant provisions amounts to a violation of the law (15).

This exception is further specified in Article 3(1) of the Cabinet Order, according to which the three following cumulative conditions must be fulfilled: (i) the collective body of information must have been "issued for the purpose of being sold to a large number of unspecified persons and the issuance of which has not been conducted in violation of the provisions of a law or order based thereon"; (ii) must be capable of being "purchased at any time by a large number of unspecified persons" and (iii) the personal data contained therein must be "provided for their original purpose without adding other information relating to a living individual". According to the explanations received from the PPC, this narrow exception was introduced with the aim of excluding telephone books or similar types of directories.

As regards the first of those two categories, it is explained in Article 4 of the Cabinet Order and covers four types of exemptions (20). These exemptions pursue similar objectives as those listed in Article 23(1) of Regulation (EU) 2016/679, notably protection of the data subject ("principal" in the terminology of the APPI) and the freedom of others, national security, public security, criminal law enforcement or other important objectives of general public interest. In addition, it results from the wording of Article 4(1)(i)-(iv) of the Cabinet Order that their application always presupposes a specific risk for one of the protected important interests (21).

The additional protection referred to in recital 43 is all the more relevant as it is through the purpose limitation principle that the Japanese system also ensures that personal data is processed lawfully and fairly.

Hence, given that under Regulation (EU) 2016/679 a transfer requires a valid legal basis and specific purpose, which are reflected in the utilization purpose "confirmed" under the APPI, the combination of the relevant provisions of the APPI and of Supplementary Rule (3) ensures the continued lawfulness of the processing of EU data in Japan.

These principles are ensured in Japanese law by Article 16(1) of the APPI, which prohibits the handling of personal information beyond "the necessary scope to achieve a utilisation purpose". As explained by the PPC, this not only excludes the use of data that is not adequate and the excessive use of data (beyond what is necessary for achieving the utilisation purpose), but also entails the prohibition to handle data not relevant for the achievement of the utilisation purpose.

As concerns the obligation to keep data accurate and up to date, Article 19 of the APPI requires the PIHBO to "strive to keep personal data accurate and up-to-date within the scope necessary to achieve a utilisation purpose". That provision should be read together with Article 16(1) of the APPI: according to the explanations received from the PPC, if a PIHBO fails to meet the prescribed standards of accuracy, the processing of the personal information will not be considered as achieving the utilisation purpose and hence, its handling will become unlawful under Article 16(1).

Personal data should be processed in a manner that ensures their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. To that end, business operators should take appropriate technical or organisational measures to protect personal data from possible threats. These measures should be assessed taking into consideration the state of the art and related costs.

This principle is implemented in Japanese law by Article 20 of the APPI, providing that a PIHBO "shall take necessary and appropriate action for the security control of personal data including preventing the leakage, loss or damage of its handled personal data." The PPC Guidelines explain the measures to be taken, including the methods for the establishment of basic policies, data handling rules and various "control actions" (regarding organisational safety as well as human, physical and technological security) (35). In addition, the PPC Guidelines and a dedicated Notice (Appendix 8 on "Contents of the safety management measures that have to be taken") published by the PPC provide more details on measures concerning security incidents involving, for example, the leakage of personal information, as part of the security management measures to be taken by PIHBOs (36).

While the concept of "sensitive" data is inherently a social construct in that it is grounded in cultural and legal traditions, moral considerations, policy choices etc. of a given society, given the importance of ensuring adequate safeguards to sensitive data when transferred to business operators in Japan the Commission has obtained that the special protections afforded to "special care-required personal information" under Japanese law are extended to all categories recognised as "sensitive data" in Regulation (EU) 2016/679. To this end, Supplementary Rule (1) provides that data transferred from the European Union concerning an individual's sex life, sexual orientation or trade-union membership shall be processed by PIHBOs "in the same manner as special care-required personal information within the meaning of Article 2, paragraph 3 of the [APPI]".

As mentioned in footnote 34 (recital 49), PIHBOs are required, under Article 26(1) of the APPI, to verify the identity of a third party providing personal data to them and the "circumstances" under which such data was acquired by the third party (in case of personal data covered by this Decision, according to the APPI and Supplementary Rule (3) those circumstances shall include the fact that the data originates from the European Union as well as the purpose of the original data transfer). Among others, that measure aims at ensuring the lawfulness of data processing throughout the chain of PIHBOs handling the personal data. Furthermore, under Article 26(3) of the APPI, PIHBOs are required to keep a record of the date of receipt and the (mandatory) information received from the third party pursuant to paragraph 1, as well as the name of the individual concerned (data subject), the categories of data processed and, to the extent relevant, the fact that the data subject has given consent for sharing his/her personal data. As specified in Article 18 of the PPC Rules, those records must be preserved for a period of at least one to three years, depending on the circumstances. In the exercise of its tasks, the PPC can require the submission of such records (39).

Like EU data protection law, the APPI grants individuals a number of enforceable rights. This includes the right to access ('disclosure'), rectification and erasure as well as the right to object ('utilisation cease').

These rights are subject to three types of restrictions, relating to the individual's own or third parties’ rights and interests (51), serious interference with the PIHBO's business operations (52) as well as cases in which disclosure would violate other laws or regulations (53). The situations in which these restrictions would apply are similar to some of the exceptions applicable under Article 23(1) of Regulation (EU) 2016/679, which allows for restrictions of the rights of individuals for reasons related to the "protection of the data subject or the rights and freedoms of others" or "other important objectives of general public interest". Although the category of cases in which disclosure would violate "other laws or regulations" may appear broad, laws and regulations providing for limitations in this regard must respect the constitutional right to privacy and may impose restrictions only to the extent that the exercise of this right would "interfere with the public welfare" (54). This requires a balancing of the interests at stake.

Differently from EU law, the APPI and relevant sub-statutory rules do not contain legal provisions specifically addressing the possibility to oppose processing for direct marketing purposes. However, such processing will, under this Decision, take place in the context of a transfer of personal data that was previously collected in the European Union. Under Article 21(2) of Regulation (EU) 2016/679, the data subject shall always have the possibility to oppose a transfer of data for the purpose of processing for direct marketing. Moreover, as explained in recital 43, under Supplementary Rule (3), a PIHBO is required to process the data received under the Decision for the same purpose for which the data have been transferred from the European Union, unless the data subject consents to change the utilisation purpose.Hence, if the transfer has been made for any purpose other than direct marketing, a PIHBO in Japan will be barred from processing the data for the purpose of direct marketing without consent of the EU data subject.

Differently from EU law, the APPI and relevant sub-statutory rules do not contain general provisions addressing the issue of decisions affecting the data subject and based solely on the automated processing of personal data. However, the issue is addressed in certain sectoral rules applicable in Japan that are particularly relevant for this type of processing. This includes sectors in which companies most likely resort to the automated processing of personal data to take decisions affecting individuals (e.g. the financial sector). For example, the "Comprehensive Guidelines for Supervision over Major Banks", as revised in June 2017, require that the concerned individual be provided with specific explanations on the reasons for the rejection of a request to conclude a loan agreement. Those rules thus offer protections in the likely rather limited number of cases where automated decisions would be taken by the "importing" Japanese business operator itself (rather than the "exporting" EU data controller).

Violations of the provisions of the APPI by a PIHBO can give rise to civil actions as well as criminal proceedings and sanctions. First, if an individual considers that his/her rights under Articles 28, 29 and 30 of the APPI have been infringed, (s)he may seek injunctive relief by asking the court to order a PIHBO to satisfy his/her request under one of these provisions, i.e. to disclose retained personal data (Article 28), to rectify retained personal data that is incorrect (Article 29) or to cease unlawful processing or third party provision (Article 30). Such an action may be brought without the need to rely on Article 709 of the Civil Code (63) or otherwise on tort law (64). In particular, this means that the individual does not have to prove any harm.

Second, in the case where an alleged infringement does not concern individual rights under Articles 28, 29 and 30 but general data protection principles or obligations of the PIHBO, the concerned individual may bring a civil action against the business operator based on the torts provisions of the Japanese Civil Code, especially Article 709. While a lawsuit under Article 709 requires, aside from fault (intention or negligence), a demonstration of harm, according to Article 710 of the Civil Code such harm may be both material and immaterial. No limitation is imposed as to the amount of compensation.

As regards the available remedies, Article 709 of the Japanese Civil Code refers to monetary compensation. However, Japanese case law has interpreted this article as also conferring the right to obtain an injunction (65). Therefore, if a data subject brings an action under Article 709 of the Civil Code and claims that his/her rights or interests have been harmed by an infringement of an APPI provision by the defendant, that claim may include, besides compensation for damage, a request for injunctive relief, notably aiming at stopping any unlawful processing.

Third, in addition to civil law (tort) remedies, a data subject may file a complaint with a public prosecutor or judicial police official with respect to APPI violations that can lead to criminal sanctions. Chapter VII of the APPI contains a number of penal provisions. The most important one (Article 84) relates to non-compliance by the PIHBO with PPC orders pursuant to Article 42(2) and (3). If a business operator fails to comply with an order issued by the PPC, the PPC Chair (as well as any other government official) (66) may forward the case to the public prosecutor or judicial police official and in that way trigger the opening of a criminal procedure. The penalty for the violation of a PPC order is imprisonment with labour for up to six months or a fine of up to 300 000 yen. Other provisions of the APPI providing for sanctions in case of APPI violations affecting the rights and interests of data subjects include Article 83 of the APPI (regarding the "providing or using by stealth" of a personal information database "for the purpose of seeking […] illegal profits") and Article 88(i) of the APPI (regarding the failure by a third party to correctly inform the PIHBO when the latter receives personal data in accordance with Article 26(1) of the APPI, in particular on the details of the third party's own, prior acquisition of such data). The applicable penalties for such violations of the APPI are, respectively, imprisonment with work for up to one year or a fine of up to 500 000 yen (in case of Article 83) or an administrative fine of up to 100 000 yen (in case of Article 88(i)). While the threat of a criminal sanction is already likely to have a strong deterrent effect on the business management that directs the PIHBO's processing operations as well as on the individuals handling the data, Article 87 of the APPI clarifies that when a representative, employee or other worker of a corporate body has committed a violation pursuant to Articles 83 to 85 of the APPI, "the actor shall be punished and a fine set forth in the respective Articles shall be imposed on the said corporate body". In this case, both the employee and the company can be imposed sanctions up to the full maximum amount.

Finally, individuals may also seek redress against the PPC's actions or inactions. In this respect, Japanese law provides several avenues of administrative and judicial redress.

Finally, an individual may also file an action for State compensation against the PPC under Article 1(1) of the State Redress Act in case (s)he has suffered damages due to the fact that an order issued by the PPC to a business operator was unlawful or the PPC has not exercised its authority.

The Commission has also assessed the limitations and safeguards, including the oversight and individual redress mechanisms available in Japanese law as regards the collection and subsequent use of personal data transferred to business operators in Japan by public authorities for public interest, in particular criminal law enforcement and national security purposes ("government access"). In this respect, the Japanese government has provided the Commission with official representations, assurances and commitments signed at the highest ministerial and agency level that are contained in Annex II to this Decision.

As an exercise of public authority, government access in Japan must be carried out in full respect of the law (legality principle). In this regard, the Constitution of Japan contains provisions limiting and framing the collection of personal data by public authorities. As already mentioned with respect to processing by business operators, basing itself on Article 13 of the Constitution which among others protects the right to liberty, the Supreme Court of Japan has recognised the right to privacy and data protection (72). One important aspect of that right is the freedom not to have one's personal information disclosed to a third party without permission (73). This implies a right to the effective protection of personal data against abuse and (in particular) illegal access. Additional protection is ensured by Article 35 of the Constitution on the right of all persons to be secure in their homes, papers and effects, which requires from public authorities to obtain a court warrant issued for "adequate cause" (74) in all cases of "searches and seizures". In its judgment of 15 March 2017 (GPS case), the Supreme Court has clarified that this warrant requirement applies whenever the government invades ("enters into") the private sphere in a way that suppresses the individual's will and thus by means of a "compulsory investigation". A judge may only issue such warrant based on a concrete suspicion of crimes, i.e. when provided with documentary evidence based on which the person concerned by the investigation can be considered as having committed a criminal offence (75). Consequently, Japanese authorities have no legal authority to collect personal information by compulsory means in situations where no violation of the law has yet occurred (76), for example in order to prevent a crime or other security threat (as is the case for investigations on grounds of national security).

Under the reservation of law principle, any data collection as part of a coercive investigation must be specifically authorised by law (as reflected, for instance, in Article 197(1) of the Code of Criminal Procedure ("CCP") regarding the compulsory collection of information for the purposes of a criminal investigation). This requirement applies also to access to electronic information.

Importantly, Article 21(2) of the Constitution guarantees the secrecy of all means of communication, with limitations only allowed by legislation on public interest grounds. Article 4 of the Telecommunications Business Act, according to which the secrecy of communications handled by a telecommunications carrier shall not be violated, implements this confidentiality requirement at the level of statutory law. This has been interpreted as prohibiting the disclosure of communications information, except with the consent of users or if based on one of the explicit exemptions from criminal liability under the Penal Code (77).

As regards specifically the right to data protection, Chapter III, Sections 1, 2 and 3 of the APPI lays down general principles covering all sectors, including the public sector. In particular, Article 3 of the APPI provides that all personal information must be handled in accordance with the principle of respect for the personality of individuals. Once personal information, including as part of electronic records, has been collected ("obtained") by public authorities (78), its handling is governed by the Act on the Protection of Personal Information held by Administrative Organs ("APPIHAO") (79). This includes in principle (80) also the processing of personal information for criminal law enforcement or national security purposes. Among others, the APPIHAO provides that public authorities: (i) may only retain personal information to the extent this is necessary for carrying out their duties; (ii) shall not use such information for an "unjust" purpose or disclose it to a third person without justification; (iii) shall specify the purpose and not change that purpose beyond what can reasonably be considered as relevant for the original purpose (purpose limitation); (iv) shall in principle not use or provide a third person with the retained personal information for other purposes and, if they consider this necessary, impose restrictions on the purpose or method of use by third parties; (v) shall endeavour to ensure the correctness of the information (data quality); (vi) shall take the necessary measures for the proper management of the information and to prevent leakage, loss or damage (data security); and (vii) shall endeavour to properly and expeditiously process any complaints regarding the processing of the information (81).

Japanese law contains a number of limitations on the access and use of personal data for criminal law enforcement purposes as well as oversight and redress mechanisms that provide sufficient safeguards for that data to be effectively protected against unlawful interference and the risk of abuse.

In the Japanese legal framework, the collection of electronic information for criminal law enforcement purposes is permissible based on a warrant (compulsory collection) or a request for voluntary disclosure.

As indicated in recital 115, any data collection as part of a coercive investigation must be specifically authorised by law and may only be carried out based on a court warrant "issued for adequate cause" (Article 35 of the Constitution). As regards the investigation of criminal offences, this requirement is reflected in the provisions of the Code of Criminal Procedure ("CCP"). According to Article 197(1) of the CCP, compulsory measures "shall not be applied unless special provisions have been established in this Code". With respect to the collection of electronic information, the only relevant (82) legal bases in this regard are Article 218 of the CCP (search and seizure) and Article 222-2 of the CCP, according to which compulsory measures for the interception of electronic communications without the consent of either party shall be executed based upon other acts, namely the Act on Wiretapping for Criminal Investigation ("Wiretapping Act"). In both cases, the warrant requirement applies.

As regards the interception of communications, Article 3 of the Wiretapping Act authorises such measures only under strict requirements. In particular, the public authorities have to obtain a prior court warrant that may only be issued for the investigation of specific serious crimes (listed in the Annex to the Act) (85) and when it is "extremely difficult to identify the criminal or clarify the situations/details of the perpetration by any other ways" (86). Under Article 5 of the Wiretapping Act, the warrant is issued for a limited period of time and additional conditions may be imposed by the judge. Moreover, the Wiretapping Act provides for a number of further guarantees, such as for instance the necessary attendance of witnesses (Articles 12, 20), the prohibition to wiretap the communications of certain privileged groups (e.g. doctors, lawyers) (Article 15), the obligation to terminate the wiretapping if it is no longer justified, even within the period of validity of the warrant (Article 18), or the general requirement to notify the individual concerned and allow access to the records within thirty days after the wiretapping has been terminated (Articles 23, 24).

For all compulsory measures based on a warrant, only such an examination "as is necessary to achieve its objective" – that is to say where the objectives pursued with the investigation cannot be achieved otherwise – may be conducted (Article 197(1) CCP). Although the criteria for determining necessity are not further specified in statutory law, the Supreme Court of Japan has ruled that the judge issuing a warrant should make an overall assessment taking into consideration in particular (i) the gravity of the offence and how it was committed; (ii) the value and importance of the materials to be seized as evidence; (iii) the probability (risk) that evidence may be concealed or destroyed; and (iv) the extent to which the seizure may cause prejudice to the individual concerned (87).

To the extent such a request is directed at a business operator and concerns personal information, the business operator has to comply with the requirements of the APPI. According to Article 23(1) of the APPI, business operators may disclose personal information to third parties without consent of the individual concerned only in certain cases, including where the disclosure is "based on laws and regulations" (89). In the area of criminal law enforcement, the legal basis for such requests is provided by Article 197(2) of the CCP according to which "private organisations may be asked to report on necessary matters relating to the investigation." Since such an "enquiry sheet" is permissible only as part of a criminal investigation, it always presupposes a concrete suspicion of an already committed crime (90). Moreover, since such investigations are generally carried out by the Prefectural Police, the limitations pursuant to Article 2(2) of the Police Law (91) apply. According to that provision, the activities of the police are "strictly limited" to the fulfilment of their responsibilities and duties (that is to say the prevention, suppression and investigation of crimes). Moreover, in performing its duties, the police shall act in an impartial, unprejudiced and fair manner and must never abuse its powers "in such a way as to interfere with the rights and liberties of an individual guaranteed in the Constitution of Japan" (which include, as indicated, the right to privacy and data protection) (92).

Aside from these limitations for the exercise of public authority, business operators themselves are expected to check ("confirm") the necessity and "rationality" of the provision to a third party (99). This includes the question whether they are prevented by law from cooperating. Such conflicting legal obligations may in particular follow from confidentiality obligations such as Article 134 of the Penal Code (concerning the relationship between a doctor, lawyer, priest, etc. and his/her client). Also, "any person engaged in the telecommunication business shall, while in office, maintain the secrets of others that have come to be known with respect to communications being handled by the telecommunication carrier" (Article 4(2) of the Telecommunication Business Act). This obligation is backed-up by the sanction stipulated in Article 179 of the Telecommunication Business Act, according to which any person that has violated the secrecy of communications being handled by a telecommunications carrier shall be guilty of a criminal offence and punished by imprisonment with labour of up to two years, or to a fine of not more than one million yen (100). While this requirement is not absolute and in particular allows for measures infringing the secrecy of communications that constitute "justifiable acts" within the meaning of Article 35 of the Penal Code (101), this exception does not cover the response to non-compulsory requests by public authorities for the disclosure of electronic information pursuant to Article 197(2) of the CCP.

In Japan, the collection of electronic information in the area of criminal law enforcement foremost (103) falls within the responsibilities of the Prefectural Police (104), which in this regard is subject to various layers of oversight.

Second, according to Article 62 of the Constitution, each House of the Japanese parliament (the Diet) may conduct investigations in relation to the government, including with respect to the lawfulness of information collection by the police. To that end, it may demand the presence and testimony of witnesses, and/or the production of records. Those powers of inquiry are further specified in the Diet Law, in particular Chapter XII. In particular, Article 104 of the Diet Law provides that the Cabinet, public agencies and other parts of the government "must comply with the requests of a House or any of its Committees for the production of reports and records necessary for consideration of investigation." Refusal to comply is allowed only if the government provides a plausible reason found acceptable by the Diet, or upon issuance of a formal declaration that the production of the reports or records would be "gravely detrimental to the national interest" (106). In addition, Diet members may ask written questions to the Cabinet (Articles 74, 75 of the Diet Law), and in the past such "written inquiries" have also addressed the handling of personal information by the administration (107). The Diet's role in supervising the executive is supported by reporting obligations, for instance pursuant to Article 29 of the Wiretapping Act.

Third, also within the executive branch the Prefectural Police is subject to independent oversight. That includes in particular the Prefectural Public Safety Commissions established at prefectural level to ensure democratic administration and political neutrality of the police (108). These commissions are composed of members appointed by the Prefectural Governor with the consent of the Prefectural Assembly (from among citizens with no public servant position in the police in the five preceding years) and have a secure term of office (in particular only dismissal for good cause) (109). According to the information received, they are not subject to instructions, and thus can be considered as fully independent (110). As regards the tasks and powers of the Prefectural Public Safety Commissions, pursuant to Article 38(3) in conjunction with Articles 2 and 36(2) of the Police Law they are responsible for "the protection of [the] rights and freedom of an individual". To this effect, they are empowered to “supervise” (111) all investigatory activities of the Prefectural Police, including the collection of personal data. Notably, the commissions "may direct the [P]refectural [P]olice in detail or in a specific individual case of inspection of police personnel's misconduct, if necessary" (112). When the Chief of the Prefectural Police (113) receives such a direction or by him-/herself becomes aware of a possible case of misconduct (including the violation of laws or other neglect of duties), (s)he has to promptly inspect the case and report the inspection result to the Prefectural Public Safety Commission (Article 56(3) of the Police Law). Where the latter considers this necessary, it may also designate one of its members to review the status of implementation. The process continues until the Prefectural Public Safety Commission is satisfied that the incident has been appropriately addressed.

In addition, with respect to the correct application of the APPIHAO, the competent minister or agency head (e.g. the Commissioner General of the NPA) has enforcement authority, subject to the supervision by the Ministry of Internal Affairs and Communications (MIC). According to Article 49 APPIHAO, the MIC "may collect reports on the status of enforcement of this Act" from the heads of Administrative Organs (Minister). That oversight function is supported by input from MIC's 51 "comprehensive information centres" (one in each Prefecture throughout Japan) that each year handle thousands of inquiries from individuals (114) (which, in turn, may reveal possible violations of the law). Where it considers this necessary for ensuring compliance with the Act, MIC may request the submission of explanations and materials, and issue opinions, concerning the handling of personal information by the concerned Administrative Organ (Articles 50, 51 APPIHAO).

First, with respect to personal information collected by Administrative Organs, the latter are under an obligation to "endeavour to properly and expeditiously process any complaints" regarding its subsequent processing (Article 48 of the APPIHAO). While Chapter IV of the APPIHAO on individual rights is not applicable with respect to personal information recorded in "documents relating to trials and seized articles" (Article 53-2(2) of the CCP) – which covers personal information collected as part of criminal investigations – individuals may bring a complaint to invoke the general data protection principles such as for instance the obligation to only retain personal information "when the retention is necessary for performing [law enforcement functions]" (Article 3(1) of the APPIHAO).

In addition, Article 79 of the Police Law guarantees individuals who have concerns with respect to the "execution of duties" by police personnel the right to lodge a complaint with the (competent) independent Prefectural Public Safety Commission. The Commission will "faithfully" handle such complaints in accordance with laws and local ordinances and shall notify the complainant in writing of the results. Based on its authority to supervise and "direct" the Prefectural Police with respect to "personnel's misconduct" (Articles 38(3), 43-2(1) of the Police Law), it may request the Prefectural Police to investigate the facts, take appropriate measures based on the outcome of this investigation and report on the results. If it considers that the investigation carried out by the Police has not been adequate, the Commission may also provide instructions on the handling of the complaint.

In order to facilitate complaint handling, the NPA has issued a "Notice" to the Police and Prefectural Public Safety Commissions on the proper handling of complaints regarding the execution of duties by police officers. In this document, the NPA stipulates standards for the interpretation and implementation of Article 79 of the Police Law. Among others, it requires the Prefectural Police to establish a "system for handling complaints" and to handle and report all complaints to the competent Prefectural Public Safety Commission "promptly". The Notice defines complaints as claims seeking correction "for any specific disadvantage that has been inflicted as the result of an illegal or inappropriate behaviour" (115) or "failure to take a necessary action, by a police officer in his/her execution of duty" (116), as well as any "grievance/discontent about inappropriate mode of duty execution by a police officer". The material scope of a complaint is thus broadly defined, covering any claim of unlawful collection of data, and the complainant does not have to demonstrate any harm suffered as a result of a police officer’s actions. Importantly, the Notice stipulates that foreigners (among others) shall be provided with assistance in formulating a complaint. Following a complaint, the Prefectural Public Safety Commissions are required to ensure that the Prefectural Police examines the facts, implements measures "according to the result of the examination" and reports on the results. Where the Commission considers the examination to be insufficient, it shall issue an instruction on the handling of the complaint, which the Prefectual Police is required to follow. Based on the reports received and the measures taken, the Commission notifies the individual indicating, among others, the measures taken to address the complaint. The NPA Notice stresses that complaints should be handled in a "sincere manner" and that the result should be notified "within the scope of time […] deemed appropriate in the light of the social norms and common sense".

Under the mechanism, an individual who suspects that his/her data transferred from the European Union has been collected or used by public authorities in Japan (including those responsible for criminal law enforcement) in violation of the applicable rules can submit a complaint to the PPC (individually or though his/her data protection authority within the meaning of Article 51 of the GDPR). The PPC will be under an obligation to handle the complaint and in a first step inform the competent public authorities, including the relevant oversight bodies, thereof. Those authorities are required to cooperate with the PPC, "including by providing the necessary information and relevant material, so that the PPC can evaluate whether the collection or the subsequent use of personal information has taken place in compliance with the applicable rules" (117). This obligation, derived from Article 80 of the APPI (requiring Japanese public authorities to co-operate with PPC), applies in general and hence extends to the review of any investigatory measures taken by such authorities, which moreover have committed to such cooperation through written assurances from the competent ministries and agency heads, as reflected in Annex II.

If the evaluation shows that an infringment of the applicable rules has occurred, "cooperation by the concerned public authorities with the PPC includes the obligation to remedy the violation", which in case of the unlawful collection of personal information covers the deletion of such data. Importantly, this obligation is carried out under the supervision of the PPC which will "confirm, before concluding the evaluation, that the violation has been fully remedied".

Finally, under Article 1(1) of the State Redress Act a court may grant compensation where a public officer who exercises the public authority of the State has, in the course of his/her duties, unlawfully and with fault (intentionally or negligently) inflicted damage on the individual concerned. According to Article 4 of the State Redress Act, the State's liability for damages is based on the provisions of the Civil Code. In this respect, Article 710 of the Civil Code stipulates that liability also covers damages other than those to property, and hence moral damage (for instance in the form of "mental distress"). This includes cases where the privacy of an individual has been invaded by unlawful surveillance and/or the collection of his/her personal information (e.g. the illegal execution of a warrant) (121).

With respect to all those redress avenues, the dispute resolution mechanism created by the Japanese government provides that an individual who is still dissatisfied with the outcome of the procedure can address the PPC "which shall inform the individual of the various possibilities and detailed procedures for obtaining redress under Japanese laws and regulations." Moreover, the PPC "will provide the individual with support, including counselling and assistance in bringing any further action to the relevant administrative or judicial body."

This includes making use of the procedural rights under the Code of Criminal Procedure. For instance, "[w]here the evaluation reveals that an individual is a suspect in a criminal case, the PPC will inform the individual about that fact" (123) as well as the possibility pursuant to Article 259 of the CCP to ask the prosecution to be notified once the latter has decided not to initiate criminal proceedings. Also, if the evaluation reveals that a case involving the personal information of the individual has been opened and that the case is concluded, the PPC will inform the individual that the case record can be inspected pursuant to Article 53 of the CCP (and Article 4 of the Act on Final Criminal Case Records). Gaining access to his/her case record is important as it will help the individual to better understand the investigation carried out against him/her and thus to prepare an eventual court action (e.g. a damages claim) in case (s)he considers his/her data was unlawfully collected or used.

According to the Japanese authorities, there is no law in Japan permitting compulsory requests for information or "administrative wiretapping" outside criminal investigations. Hence, on national security grounds information may only be obtained from an information source that can be freely accessed by anyone or by voluntary disclosure. Business operators receiving a request for voluntary cooperation (in the form of disclosure of electronic information) are under no legal obligation to provide such information (124).

Also, according to the information received only four government entities are empowered to collect electronic information held by Japanese business operators on national security grounds, namely: (i) the Cabinet Intelligence & Research Office (CIRO); (ii) the Ministry of Defence ("MOD"); (iii) the police (both National Police Agency (NPA) (125) and Prefectural Police); and (iv) the Public Security Intelligence Agency ("PSIA"). However, the CIRO never collects information directly from business operators, including by means of interception of communications. Where it receives information from other government authorities in order to provide analysis to the Cabinet, these other authorities in turn have to comply with the law, including the limitations and safeguards analysed in this Decision. Its activities are thus not relevant in a transfer context.

As for the Prefectural Police, its responsibilities and duties include the "maintenance of public safety and order" (Article 35(2) in conjunction with Article 2(1) of the Police Law). Within this scope of jurisdiction, the police may collect information, but only on a voluntary basis without legal force. Moreover, the activities of the police shall be "strictly limited" to what is necessary to perform its duties. Moreover, it shall act in an "impartial, nonpartisan, unprejudiced and fair" manner and never abuse its powers "in any way such as to interfere with the rights and liberties of an individual guaranteed in the Constitution of Japan" (Article 2 of the Police Law).

First, the Japanese Diet through its specialised committees may examine the lawfulness of investigations based on its powers of parliamentary scrutiny (Article 62 of the Constitution, Article 104 of the Diet Law; see recital 134). This oversight function is supported by specific reporting obligations on the activities carried out under some of the aforementioned legal bases (133).

As regards MOD, oversight is exercised by the Inspector General's Office of Legal Compliance (IGO) (134) that has been established based on Article 29 of the MOD Establishment Act as an office within the MOD under the supervision of the Minister of Defence (to which it reports) but independent from MOD's operational departments. The IGO has the task of ensuring compliance with laws and regulations as well as the proper execution of duties by MOD officials. Among its powers is the authority to carry out so-called "Defence Inspections", both at regular intervals ("Regular Defence Inspections") and in individual cases ("Special Defence Inspections"), which in the past have also covered the proper handling of personal information (135). In the context of such inspections, the IGO may enter sites (offices) and request the submission of documents or information, including explanations by the Deputy Vice-Minister of the MOD. The inspection is concluded through a report to the Minister of Defence setting out the findings and measures for improvement (the implementation of which can again be checked through further inspections). The report in turn forms the basis for instructions from the Minister of Defence to implement the measures necessary to address the situation; the Deputy Vice-Minister is charged with carrying out such measures and has to report on the follow-up.

As regards the Prefectural Police, oversight is ensured by the independent Prefectural Public Safety Commissions, as explained in recital 135 with respect to criminal law enforcement.

These oversight mechanisms, which are further strengthened through the possibility for individuals to trigger the intervention of the PPC as an independent supervisory authority (see below section 168), provide adequate guarantees against the risk of abuse by Japanese authorities of their powers in the area of national security, and against any unlawful collection of electronic information.

Moreover, unlike for criminal investigations, individuals (including foreign nationals living abroad) have in principle a right to disclosure (139), correction (including deletion) and suspension of use/provision under the APPIHAO. This being said, the head of the Administrative Organ may refuse disclosure with respect to information "for which there are reasonable grounds […] to find that disclosure is likely to cause harm to national security" (Article 14(iv) APPIHAO) and may even do so without revealing the existence of such information (Article 17 APPIHAO). Likewise, while an individual may request suspension of use or deletion pursuant to Article 36(1)(i) APPIHAO in case the Administrative Organ has obtained the information unlawfully or retains/uses it beyond what is necessary to achieve the specified purpose, the authority may reject the request if it finds that the suspension of use "is likely to hinder the proper execution of the affairs pertaining to the Purpose of Use of the Retained Personal Information due to the nature of the said affairs" (Article 38 APPIHAO). Still, where it is possible to easily separate and exclude portions that are subject to an exception, Administrative Organs are required to grant at least partial disclosure (see e.g. Article 15(1) APPIHAO) (140).

As is the case for investigations in the area of criminal law enforcement, also in the area of national security individuals may obtain individual redress by directly contacting the PPC. This will trigger the specific dispute resolution procedure that the Japanese government has created for EU individuals whose personal data is transferred under this Decision (see detailed explanations in recitals 141 to 144, 149).

Moreover, the Commission considers that, taken as a whole, the oversight mechanisms and redress avenues in Japanese law enable infringements by recipient PIHBOs to be identified and punished in practice and offer legal remedies to the data subject to obtain access to personal data relating to him/her and, eventually, the rectification or erasure of such data.

Finally, on the basis of the available information about the Japanese legal order, including the representations, assurances and commitments from the Japanese government contained in Annex II, the Commission considers that any interference with the fundamental rights of the individuals whose personal data are transferred from the European Union to Japan by Japanese public authorities for public interest purposes, in particular criminal law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.

According to the case law of the Court of Justice (147), and as recognized in Article 45(4) of Regulation (EU) 2016/679, the Commission should continuously monitor relevant developments in the third country after the adoption of an adequacy decision in order to assess whether Japan still ensures an essentially equivalent level of protection. Such a check is required, in any event, when the Commission receives information giving rise to a justified doubt in that respect.

Member States and their organs are required to take the measures necessary to comply with acts of the Union institutions, as the latter are presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality. Consequently, a Commission adequacy decision adopted pursuant to Article 45(3) of Regulation (EU) 2016/679 is binding on all organs of the Member States to which it is addressed, including their independent supervisory authorities. At the same time, as explained by the Court of Justice in the Schrems judgment (148) and recognised in Article 58(5) of the Regulation, where a DPA questions, including upon a complaint, the compatibility of a Commission adequacy decision with the fundamental rights of the individual to privacy and data protection, national law must provide it with a legal remedy to put those objections before a national court which, in case of doubts, must stay proceedings and make a reference for a preliminary ruling to the Court of Justice (149).

To this end, this Decision should be subject to a first review within two years after its entry into force. Following that first review, and depending on its outcome, the Commission will decide in close consultation with the Committee established under Article 93(1) of the GDPR whether the two-year-cycle should be maintained. In any case, the subsequent reviews should take place at least every four years (151). The review should cover all aspects of the functioning of this Decision, and in particular the application of the Supplementary Rules (with special attention paid to protections afforded in case of onward transfers), the application of the rules on consent, including in case of withdrawal, the effectiveness of the exercise of individual rights, as well as the limitations and safeguards with respect to government access, including the redress mechanism as set out in Annex II to this Decision. It should also cover the effectiveness of oversight and enforcement, as regards the rules applicable to both PIHBOs and in the area of criminal law enforcement and national security.

Where, on the basis of the regular and ad hoc checks or any other information available, the Commission concludes that the level of protection afforded by the Japanese legal order can no longer be regarded as essentially equivalent to that in the European Union, it should inform the competent Japanese authorities thereof and request that appropriate measures be taken within a specified, reasonable timeframe. This includes the rules applicable to both business operators and Japanese public authorities responsible for criminal law enforcement or national security. For example, such a procedure would be triggered in cases where onward transfers, including on the basis of decisions adopted by the PPC under Article 24 of the APPI recognising a third country as providing an equivalent level of protection to the one guaranteed in Japan, will no longer be carried out under safeguards ensuring the continuity of protection within the meaning of Article 44 of the GDPR.