Regulation (EU) 2016/679 sets out the rules for the transfer of personal data from controllers or processors in the European Union to third countries and international organisations to the extent that such transfers fall within its scope. The rules on international transfers of personal data are laid down in Chapter V of that Regulation, more specifically in Articles 44 to 50. The flow of personal data to and from countries outside the European Union is necessary for the expansion of international cooperation and international trade, while guaranteeing that the level of protection afforded to personal data in the European Union is not undermined.

Recently, by a Cabinet Decision adopted on 12 June 2018, the Japanese government amended the "Basic Policy". With a view to facilitating international data transfers, that Cabinet Decision delegates to the PPC, as the authority competent for administering and implementing the APPI, "the power to take the necessary action to bridge differences of the systems and operations between Japan and the concerned foreign country based on Article 6 of the Act in view of ensuring appropriate handling of personal information received from such country". The Cabinet Decision stipulates that this includes the power to establish enhanced protections through the adoption by the PPC of stricter rules supplementing and going beyond those laid down in the APPI and the Cabinet Order. Pursuant to that Decision, these stricter rules shall be binding and enforceable on Japanese business operators.

Under the APPI, no specific distinction is drawn between the obligations imposed on controllers and processors. The absence of this distinction does not affect the level of protection because all PIHBOs are subject to all provisions of the Act. A PIHBO that entrusts the handling of personal data to a trustee (the equivalent of a processor under the GDPR) remains subject to the obligations under the APPI and Supplementary Rules with regard to the data it has entrusted. Additionally, under Article 22 of the APPI, it is bound to "exercise necessary and appropriate supervision" over the trustee. In turn, as the PPC has confirmed, the trustee is itself bound by all the obligations in the APPI and the Supplementary Rules.

In order to ensure an adequate level of protection of personal data transferred from the European Union to business operators in Japan, only processing of personal information falling within the scope of Chapter IV of the APPI – i.e. by a PIHBO to the extent the processing situation does not correspond to one of the sectoral exclusions – should be covered by this Decision. Its scope should therefore be aligned to that of the APPI. According to the information received from the PPC, where a PIHBO covered by this Decision subsequently modifies the utilisation purpose (to the extent this is permissible) and would then be covered by one of the sectoral exclusions in Article 76 of the APPI, this would be considered as an international transfer (given that, in such cases, the processing of the personal information would no longer be covered by Chapter IV of the APPI and thus fall outside its scope of application). The same would apply in case a PIHBO provides personal information to an entity covered by Article 76 of the APPI for use for one of the processing purposes indicated in that provision. As regards personal data transferred from the European Union, this would therefore constitute an onward transfer subject to the relevant safeguards (notably those specified in Article 24 of the APPI and Supplementary Rule (4)). Where the PIHBO relies on the data subject's consent (25), it would have to provide him/her with all the necessary information, including that the personal information would no longer be protected by the APPI.

Moreover, under Article 16(1) of the APPI, PIHBOs are prohibited from handling personal information beyond the "necessary scope to achieve a utilization purpose" specified under Article 15 without obtaining in advance a data subject's consent, unless one of the derogations in Article 16(3) applies (27).

Furthermore, in case the PIHBO would like to change the purpose as previously specified under Regulation (EU) 2016/679, pursuant to Article 16(1) of the APPI it would have to obtain, in principle, the consent of the data subject. Without that consent, any data processing going beyond the scope necessary for achieving that utilisation purpose would constitute a violation of Article 16(1) that would be enforceable by the PPC and the courts.

Data should be accurate and, where necessary, kept up to date. It should also be adequate, relevant and not excessive in relation to the purposes for which it is processed.

These principles are ensured in Japanese law by Article 16(1) of the APPI, which prohibits the handling of personal information beyond "the necessary scope to achieve a utilisation purpose". As explained by the PPC, this not only excludes the use of data that is not adequate and the excessive use of data (beyond what is necessary for achieving the utilisation purpose), but also entails the prohibition to handle data not relevant for the achievement of the utilisation purpose.

As concerns the obligation to keep data accurate and up to date, Article 19 of the APPI requires the PIHBO to "strive to keep personal data accurate and up-to-date within the scope necessary to achieve a utilisation purpose". That provision should be read together with Article 16(1) of the APPI: according to the explanations received from the PPC, if a PIHBO fails to meet the prescribed standards of accuracy, the processing of the personal information will not be considered as achieving the utilisation purpose and hence, its handling will become unlawful under Article 16(1).

Data should in principle be kept for no longer than is necessary for the purposes for which the personal data is processed.

According to Article 19 of the APPI, PIHBOs are required to "strive […] to delete the personal data without delay when such utilisation has become unnecessary". That provision needs to be read in conjunction with Article 16(1) of the APPI prohibiting the handling of personal information beyond "the necessary scope to achieve a utilisation purpose". Once the utilisation purpose has been achieved, processing of personal information cannot be considered necessary anymore and, hence, cannot continue (unless the PIHBO obtains the data subject's consent to do so).

This principle is implemented in Japanese law by Article 20 of the APPI, providing that a PIHBO "shall take necessary and appropriate action for the security control of personal data including preventing the leakage, loss or damage of its handled personal data." The PPC Guidelines explain the measures to be taken, including the methods for the establishment of basic policies, data handling rules and various "control actions" (regarding organisational safety as well as human, physical and technological security) (35). In addition, the PPC Guidelines and a dedicated Notice (Appendix 8 on "Contents of the safety management measures that have to be taken") published by the PPC provide more details on measures concerning security incidents involving, for example, the leakage of personal information, as part of the security management measures to be taken by PIHBOs (36).

Furthermore, whenever personal information is handled by employees or sub-contractors, "necessary and appropriate supervision" must be ensured under Articles 20 and 21 of the APPI for security control purposes. Finally, pursuant to Article 83 of the APPI, intentional leakage or theft of personal information is punishable by a sanction of up to one year of imprisonment.

Article 18(1) of the APPI requires the PIHBO to make information about the utilisation purpose of the personal information acquired available to the data subject, except for "cases where a utilisation purpose has been disclosed in advance to the public". The same obligation applies in case of a permissible change of purpose (Article 18(3)). This also ensures that the data subject is informed of the fact that his/her data has been collected. Although the APPI does not generally require the PIHBO to inform the data subject about the expected recipients of personal information at the stage of collection, such information is a necessary condition for any subsequent disclosure of information to a third party (recipient) based on Article 23(2), hence where this is done without prior consent of the data subject.

Finally, the APPI creates a framework for the participation of sectoral industry organisations in ensuring a high level of compliance (see Chapter IV, Section 4). The role of such accredited personal information protection organisations (40) is to promote the protection of personal information by supporting businesses through their expertise, but also to contribute to the implementation of safeguards, notably by handling individual complaints and helping to solve related conflicts. To that end, they may request participating PIHBOs, if appropriate, to adopt necessary measures (41). Moreover, in case of data breaches or other security incidents PHIBOs shall in principle inform the PPC as well as the data subject (or the public) and take necessary action, including measures to minimise any damage and to prevent any recurrence of similar incidents (42). While those are voluntary schemes, on 10 August 2017 the PPC had listed 44 organisations, with the largest one, Japan Information Processing and Development Center (JIPDEC), alone counting 15 436 participating business operators (43). Accredited schemes include sector associations such as for instance the Japan Securities Dealers Association, the Japan Association of Car Driving Schools or the Association of Marriage Brokers (44).

A first protection is enshrined in Article 24 of the APPI which generally prohibits the transfer of personal data to a third party outside the territory of Japan without the prior consent of the individual concerned. Supplementary Rule (4) ensures that in the case of data transfers from the European Union such consent will be particularly well informed as it requires that the individual concerned shall be "provided information on the circumstances surrounding the transfer necessary for the principal to make a decision on his/her consent". On that basis, the data subject shall be informed of the fact that the data will be transferred abroad (outside the scope of application of the APPI) and of the specific country of destination. This will allow him/her to assess the risk for privacy involved with the transfer. Also, as can be inferred from Article 23 of the APPI (see recital 47), the information provided to the principal should cover the compulsory items under its paragraph 2, namely the categories of personal data provided to a third party and the method of disclosure.

Second, pursuant to Article 29(1) and (2) of the APPI, a data subject has a right to request the correction, addition or deletion of his/her retained personal data in the case where the data is inaccurate. Upon receipt of such a request, the PIHBO "shall […] conduct a necessary investigation" and, based on the results of such an investigation, "make a correction etc. of the contents of the retained data".

When the request is founded, the PIHBO shall without delay discontinue the use of the data, or the provision to a third party, to the extent necessary to remedy the violation or, if a case is covered by an exception (notably if the utilisation cease would cause particularly high costs) (55), implement necessary alternative measures to protect the rights and interests of the individual concerned.

The powers of the PPC, which it exercises in full independence (58), are mainly provided for in Articles 40, 41 and 42 of the APPI. Under Article 40, the PPC may request PIHBOs to report or submit documents on processing operations and may also carry out inspections, both on-site and of books or other documents. To the extent necessary to enforce the APPI, the PPC may also provide PIHBOs with guidance or advice as regards the handling of personal information. The PPC has already made use of this power under Article 41 APPI by addressing guidance to Facebook, following the Facebook/Cambridge Analytica revelations.

Although not all provisions of Chapter IV, Section 1 of the APPI are listed in Article 42(1) – which also determines the scope of application of Article 42(2) – this can be explained by the fact that certain of those provisions do not concern obligations of the PIHBO (59) and that all essential protections are already afforded by other provisions that are included in that list. For instance, although Article 15 (requiring the PIHBO to set the utilisation purpose and process the relevant personal information exclusively within its scope) is not mentioned, failure to observe this requirement can give ground to a recommendation based on a violation of Article 16(1) (prohibiting the PIHBO to process personal information beyond what is necessary to achieve the utilisation purpose, unless it obtains the data subject's consent) (60). Another provision not listed in Article 42(1) is Article 19 of the APPI on data accuracy and retention. Non-compliance with that provision can be enforced either as a violation of Article 16(1) or based on a violation of Article 29(2), if the individual concerned asks for the correction or deletion of erroneous or excessive data and the PIHBO refuses to satisfy the request. As regards the rights of the data subject according to Articles 28(1), 29(1) and 30(1), oversight by the PPC is ensured by granting it enforcement powers with respect to the corresponding obligations of the PIHBO laid down in those Articles.

Pursuant to Article 42(1) of the APPI, the PPC can, if it recognizes that there is a "need for protecting an individual's rights and interests in cases where a [PIHBO] has violated" specific APPI provisions, issue a recommendation to "suspend the act of violating or take other necessary action to rectify the violation". Such a recommendation is not binding, but opens the way for a binding order pursuant to Article 42(2) of the APPI. Based on this provision, if the recommendation is not followed "without legitimate grounds" and the PPC "recognises that a serious infringement of an individual's rights and interests is imminent", it can order the PIHBO to take action in line with the recommendation.

Before or instead of seeking administrative or judicial redress, an individual may decide to submit a complaint about the processing of his/her personal data to the controller itself. Based on Article 35 of the APPI, PIHBOs shall endeavour to deal with such complaints "appropriately and promptly" and establish internal complaint-handling systems to achieve this objective. In addition, under Article 61(ii) of the APPI the PPC is responsible for the "necessary mediation on a lodged complaint and cooperation offered to a business operator who deals with the complaint", which in both cases includes complaints submitted by foreigners. In this regard, the Japanese legislator has also entrusted the central government with the task of taking "necessary action" to enable and facilitate the resolution of complaints by PIHBOs (Article 9), while local governments shall endeavour to ensure mediation in such cases (Article 13). In that respect, individuals may lodge a complaint with one of the more than 1 700 consumer centres established by local governments based on the Consumer Safety Act (61), in addition to the possibility of lodging a complaint with the National Consumer Affairs Centre of Japan. Such complaints may also be brought with respect to a violation of the APPI. Under Article 19 of the Basic Consumer Act (62), local governments shall endeavour to engage in mediation with respect to complaints and provide the parties with necessary expertise. Those dispute resolution mechanisms appear quite effective, with a resolution rate of 91,2 % concerning more than 75 000 complaint cases in 2015.

Where an individual is not satisfied with a course of action undertaken by the PPC, (s)he may file an administrative appeal under the Administrative Complaint Review Act (67). Conversely, where an individual considers that the PPC should have acted but failed to do so, an individual may request the PPC pursuant to Article 36-3 of that Act to make a disposition or provide administrative guidance if (s)he considers that "a disposition or administrative guidance necessary for the correction of the violation has not been rendered or imposed".

As regards specifically the right to data protection, Chapter III, Sections 1, 2 and 3 of the APPI lays down general principles covering all sectors, including the public sector. In particular, Article 3 of the APPI provides that all personal information must be handled in accordance with the principle of respect for the personality of individuals. Once personal information, including as part of electronic records, has been collected ("obtained") by public authorities (78), its handling is governed by the Act on the Protection of Personal Information held by Administrative Organs ("APPIHAO") (79). This includes in principle (80) also the processing of personal information for criminal law enforcement or national security purposes. Among others, the APPIHAO provides that public authorities: (i) may only retain personal information to the extent this is necessary for carrying out their duties; (ii) shall not use such information for an "unjust" purpose or disclose it to a third person without justification; (iii) shall specify the purpose and not change that purpose beyond what can reasonably be considered as relevant for the original purpose (purpose limitation); (iv) shall in principle not use or provide a third person with the retained personal information for other purposes and, if they consider this necessary, impose restrictions on the purpose or method of use by third parties; (v) shall endeavour to ensure the correctness of the information (data quality); (vi) shall take the necessary measures for the proper management of the information and to prevent leakage, loss or damage (data security); and (vii) shall endeavour to properly and expeditiously process any complaints regarding the processing of the information (81).

More specifically, pursuant to Article 218(1) of the CCP, a public prosecutor, a public prosecutor's assistant officer or a judicial police official may, if necessary for the investigation of an offence, conduct a search or seizure (including ordering records) upon a warrant issued by a judge in advance (83). Among others, such a warrant shall contain the name of the suspect or accused, the charged offence (84), the electromagnetic records to be seized and the "place or articles" to be inspected (Article 219(1) of the CCP).

As regards the interception of communications, Article 3 of the Wiretapping Act authorises such measures only under strict requirements. In particular, the public authorities have to obtain a prior court warrant that may only be issued for the investigation of specific serious crimes (listed in the Annex to the Act) (85) and when it is "extremely difficult to identify the criminal or clarify the situations/details of the perpetration by any other ways" (86). Under Article 5 of the Wiretapping Act, the warrant is issued for a limited period of time and additional conditions may be imposed by the judge. Moreover, the Wiretapping Act provides for a number of further guarantees, such as for instance the necessary attendance of witnesses (Articles 12, 20), the prohibition to wiretap the communications of certain privileged groups (e.g. doctors, lawyers) (Article 15), the obligation to terminate the wiretapping if it is no longer justified, even within the period of validity of the warrant (Article 18), or the general requirement to notify the individual concerned and allow access to the records within thirty days after the wiretapping has been terminated (Articles 23, 24).

For all compulsory measures based on a warrant, only such an examination "as is necessary to achieve its objective" – that is to say where the objectives pursued with the investigation cannot be achieved otherwise – may be conducted (Article 197(1) CCP). Although the criteria for determining necessity are not further specified in statutory law, the Supreme Court of Japan has ruled that the judge issuing a warrant should make an overall assessment taking into consideration in particular (i) the gravity of the offence and how it was committed; (ii) the value and importance of the materials to be seized as evidence; (iii) the probability (risk) that evidence may be concealed or destroyed; and (iv) the extent to which the seizure may cause prejudice to the individual concerned (87).

To the extent such a request is directed at a business operator and concerns personal information, the business operator has to comply with the requirements of the APPI. According to Article 23(1) of the APPI, business operators may disclose personal information to third parties without consent of the individual concerned only in certain cases, including where the disclosure is "based on laws and regulations" (89). In the area of criminal law enforcement, the legal basis for such requests is provided by Article 197(2) of the CCP according to which "private organisations may be asked to report on necessary matters relating to the investigation." Since such an "enquiry sheet" is permissible only as part of a criminal investigation, it always presupposes a concrete suspicion of an already committed crime (90). Moreover, since such investigations are generally carried out by the Prefectural Police, the limitations pursuant to Article 2(2) of the Police Law (91) apply. According to that provision, the activities of the police are "strictly limited" to the fulfilment of their responsibilities and duties (that is to say the prevention, suppression and investigation of crimes). Moreover, in performing its duties, the police shall act in an impartial, unprejudiced and fair manner and must never abuse its powers "in such a way as to interfere with the rights and liberties of an individual guaranteed in the Constitution of Japan" (which include, as indicated, the right to privacy and data protection) (92).

Specifically with respect to Article 197(2) of the CCP, the National Police Agency ("NPA") – as the federal authority in charge, among others, of all matters concerning the criminal police – has issued instructions to the Prefectural Police (93) on the "proper use of written inquiries in investigative matters". According to this Notification, requests must be made using a pre-established form ("Form No. 49" or so-called "enquiry sheet") (94), concern records "regarding a specific investigation" and the requested information must be "necessary for [that] investigation". In each case, the chief investigator shall "fully examine the necessity, content, etc. of [the] individual enquiry" and must receive internal approval from a high-ranking official.

Moreover, in two judgments from 1969 and 2008 (95), the Supreme Court of Japan has stipulated limitations with respect to non-compulsory measures that interfere with the right to privacy (96). In particular, the court considered that such measures must be "reasonable" and stay within "generally allowable limits", that is to say they must be necessary for the investigation of a suspect (collection of evidence) and carried out "by appropriate methods for achieving the purpose of [the] investigation" (97). The judgments show that this entails a proportionality test, taking into account all the circumstances of the case (e.g. the level of interference with the right to privacy, including the expectation of privacy, the seriousness of the crime, the likelihood to obtain useful evidence, the importance of that evidence, possible alternative means of investigation, etc.) (98).

While there is no ex-ante check by a judge in the case of requests for voluntary disclosure, business operators to whom such requests are addressed can object to them without risking any negative consequences (and will have to take into account the privacy impact of any disclosure). Moreover, according to Article 192(1) of the CCP, police officials shall always cooperate and coordinate their actions with the public prosecutor (and the Prefectural Public Safety Commission) (105). In turn, the public prosecutor may give the necessary general instructions setting forth standards for a fair investigation and/or issue specific orders with respect to an individual investigation (Article 193 of the CCP). Where such instructions and/or orders are not followed, the prosecution may file charges for disciplinary action (Article 194 of the CCP). Hence, the Prefectural Police operates under the supervision of the public prosecutor.

Second, according to Article 62 of the Constitution, each House of the Japanese parliament (the Diet) may conduct investigations in relation to the government, including with respect to the lawfulness of information collection by the police. To that end, it may demand the presence and testimony of witnesses, and/or the production of records. Those powers of inquiry are further specified in the Diet Law, in particular Chapter XII. In particular, Article 104 of the Diet Law provides that the Cabinet, public agencies and other parts of the government "must comply with the requests of a House or any of its Committees for the production of reports and records necessary for consideration of investigation." Refusal to comply is allowed only if the government provides a plausible reason found acceptable by the Diet, or upon issuance of a formal declaration that the production of the reports or records would be "gravely detrimental to the national interest" (106). In addition, Diet members may ask written questions to the Cabinet (Articles 74, 75 of the Diet Law), and in the past such "written inquiries" have also addressed the handling of personal information by the administration (107). The Diet's role in supervising the executive is supported by reporting obligations, for instance pursuant to Article 29 of the Wiretapping Act.

Third, also within the executive branch the Prefectural Police is subject to independent oversight. That includes in particular the Prefectural Public Safety Commissions established at prefectural level to ensure democratic administration and political neutrality of the police (108). These commissions are composed of members appointed by the Prefectural Governor with the consent of the Prefectural Assembly (from among citizens with no public servant position in the police in the five preceding years) and have a secure term of office (in particular only dismissal for good cause) (109). According to the information received, they are not subject to instructions, and thus can be considered as fully independent (110). As regards the tasks and powers of the Prefectural Public Safety Commissions, pursuant to Article 38(3) in conjunction with Articles 2 and 36(2) of the Police Law they are responsible for "the protection of [the] rights and freedom of an individual". To this effect, they are empowered to “supervise” (111) all investigatory activities of the Prefectural Police, including the collection of personal data. Notably, the commissions "may direct the [P]refectural [P]olice in detail or in a specific individual case of inspection of police personnel's misconduct, if necessary" (112). When the Chief of the Prefectural Police (113) receives such a direction or by him-/herself becomes aware of a possible case of misconduct (including the violation of laws or other neglect of duties), (s)he has to promptly inspect the case and report the inspection result to the Prefectural Public Safety Commission (Article 56(3) of the Police Law). Where the latter considers this necessary, it may also designate one of its members to review the status of implementation. The process continues until the Prefectural Public Safety Commission is satisfied that the incident has been appropriately addressed.

In addition, with respect to the correct application of the APPIHAO, the competent minister or agency head (e.g. the Commissioner General of the NPA) has enforcement authority, subject to the supervision by the Ministry of Internal Affairs and Communications (MIC). According to Article 49 APPIHAO, the MIC "may collect reports on the status of enforcement of this Act" from the heads of Administrative Organs (Minister). That oversight function is supported by input from MIC's 51 "comprehensive information centres" (one in each Prefecture throughout Japan) that each year handle thousands of inquiries from individuals (114) (which, in turn, may reveal possible violations of the law). Where it considers this necessary for ensuring compliance with the Act, MIC may request the submission of explanations and materials, and issue opinions, concerning the handling of personal information by the concerned Administrative Organ (Articles 50, 51 APPIHAO).

First, with respect to personal information collected by Administrative Organs, the latter are under an obligation to "endeavour to properly and expeditiously process any complaints" regarding its subsequent processing (Article 48 of the APPIHAO). While Chapter IV of the APPIHAO on individual rights is not applicable with respect to personal information recorded in "documents relating to trials and seized articles" (Article 53-2(2) of the CCP) – which covers personal information collected as part of criminal investigations – individuals may bring a complaint to invoke the general data protection principles such as for instance the obligation to only retain personal information "when the retention is necessary for performing [law enforcement functions]" (Article 3(1) of the APPIHAO).

In order to facilitate complaint handling, the NPA has issued a "Notice" to the Police and Prefectural Public Safety Commissions on the proper handling of complaints regarding the execution of duties by police officers. In this document, the NPA stipulates standards for the interpretation and implementation of Article 79 of the Police Law. Among others, it requires the Prefectural Police to establish a "system for handling complaints" and to handle and report all complaints to the competent Prefectural Public Safety Commission "promptly". The Notice defines complaints as claims seeking correction "for any specific disadvantage that has been inflicted as the result of an illegal or inappropriate behaviour" (115) or "failure to take a necessary action, by a police officer in his/her execution of duty" (116), as well as any "grievance/discontent about inappropriate mode of duty execution by a police officer". The material scope of a complaint is thus broadly defined, covering any claim of unlawful collection of data, and the complainant does not have to demonstrate any harm suffered as a result of a police officer’s actions. Importantly, the Notice stipulates that foreigners (among others) shall be provided with assistance in formulating a complaint. Following a complaint, the Prefectural Public Safety Commissions are required to ensure that the Prefectural Police examines the facts, implements measures "according to the result of the examination" and reports on the results. Where the Commission considers the examination to be insufficient, it shall issue an instruction on the handling of the complaint, which the Prefectual Police is required to follow. Based on the reports received and the measures taken, the Commission notifies the individual indicating, among others, the measures taken to address the complaint. The NPA Notice stresses that complaints should be handled in a "sincere manner" and that the result should be notified "within the scope of time […] deemed appropriate in the light of the social norms and common sense".

Under the mechanism, an individual who suspects that his/her data transferred from the European Union has been collected or used by public authorities in Japan (including those responsible for criminal law enforcement) in violation of the applicable rules can submit a complaint to the PPC (individually or though his/her data protection authority within the meaning of Article 51 of the GDPR). The PPC will be under an obligation to handle the complaint and in a first step inform the competent public authorities, including the relevant oversight bodies, thereof. Those authorities are required to cooperate with the PPC, "including by providing the necessary information and relevant material, so that the PPC can evaluate whether the collection or the subsequent use of personal information has taken place in compliance with the applicable rules" (117). This obligation, derived from Article 80 of the APPI (requiring Japanese public authorities to co-operate with PPC), applies in general and hence extends to the review of any investigatory measures taken by such authorities, which moreover have committed to such cooperation through written assurances from the competent ministries and agency heads, as reflected in Annex II.

According to the information received, the MOD collects (electronic) information on the basis of the MOD Establishment Act. Pursuant to its Article 3, the mission of the MOD is to manage and operate the military forces and "to conduct such affairs as related thereto in order to secure national peace and independence, and the safety of the nation." Article 4(4) provides that the MOD shall have jurisdiction over the "defence and guard", over the actions to be taken by the Self-Defence Forces as well as over the deployment of the military forces, including the collection of information necessary to conduct those affairs. It only has authority to collect (electronic) information from business operators through voluntary cooperation.

As for the Prefectural Police, its responsibilities and duties include the "maintenance of public safety and order" (Article 35(2) in conjunction with Article 2(1) of the Police Law). Within this scope of jurisdiction, the police may collect information, but only on a voluntary basis without legal force. Moreover, the activities of the police shall be "strictly limited" to what is necessary to perform its duties. Moreover, it shall act in an "impartial, nonpartisan, unprejudiced and fair" manner and never abuse its powers "in any way such as to interfere with the rights and liberties of an individual guaranteed in the Constitution of Japan" (Article 2 of the Police Law).

Finally, the PSIA may carry out investigations under the Subversive Activities Prevention Act ("SAPA") and the Act on the Control of Organisations Which Have Committed Acts of Indiscriminate Mass Murder ("ACO") where such investigations are necessary to prepare the adoption of control measures against certain organisations (126). Under both Acts, upon request by the Director-General of the PSIA the Public Security Examination Commission may issue certain "dispositions" (surveillance/prohibitions in the case of the ACO (127), dissolution/prohibitions in the case of the SAPA (128) and in this context the PSIA may carry out investigations (129). According to the information received, these investigations are always conducted on a voluntary basis, meaning that the PSIA may not force an owner of personal information to provide such information (130). Each time, controls and investigations shall be conducted only to the minimum extent necessary to achieve the control purpose and shall not under any circumstances be carried out to "unreasonably" restrict the rights and freedoms guaranteed under the Constitution of Japan (Article 3(1) of SAPA/ACO). Moreover, according to Article 3(2) of the SAPA/ACO, the PSIA must under no circumstances abuse such controls, or the investigations carried out to prepare such controls. If a Public Security Intelligence Officer has abused his/her authority under the respective Act by forcing a person to do anything which the person is not required to, or by interfering with the exercise of a person's rights, (s)he may be subject to criminal sanctions pursuant to Article 45 SAPA or Article 42 ACO. Finally, both Acts explicitly prescribe that their provisions, including the powers granted therein, shall "not under any circumstances be subject to an expanded interpretation" (Article 2 of SAPA/ACO).

As regards MOD, oversight is exercised by the Inspector General's Office of Legal Compliance (IGO) (134) that has been established based on Article 29 of the MOD Establishment Act as an office within the MOD under the supervision of the Minister of Defence (to which it reports) but independent from MOD's operational departments. The IGO has the task of ensuring compliance with laws and regulations as well as the proper execution of duties by MOD officials. Among its powers is the authority to carry out so-called "Defence Inspections", both at regular intervals ("Regular Defence Inspections") and in individual cases ("Special Defence Inspections"), which in the past have also covered the proper handling of personal information (135). In the context of such inspections, the IGO may enter sites (offices) and request the submission of documents or information, including explanations by the Deputy Vice-Minister of the MOD. The inspection is concluded through a report to the Minister of Defence setting out the findings and measures for improvement (the implementation of which can again be checked through further inspections). The report in turn forms the basis for instructions from the Minister of Defence to implement the measures necessary to address the situation; the Deputy Vice-Minister is charged with carrying out such measures and has to report on the follow-up.

Finally, as indicated, the PSIA may only carry out investigations to the extent this is necessary with respect to the adoption of a prohibition, dissolution or surveillance disposition under the SAPA/ACO, and for these dispositions the independent (136) Public Security Examination Commission exercises ex ante oversight. In addition, regular/periodic inspections (which in a comprehensive manner look at PSIA's operations) (137) and special internal inspections (138) on the activities of individual departments/offices etc. are carried out by specifically designated inspectors and may lead to instructions to the heads of relevant departments etc. to take corrective or improvement measures.

Moreover, unlike for criminal investigations, individuals (including foreign nationals living abroad) have in principle a right to disclosure (139), correction (including deletion) and suspension of use/provision under the APPIHAO. This being said, the head of the Administrative Organ may refuse disclosure with respect to information "for which there are reasonable grounds […] to find that disclosure is likely to cause harm to national security" (Article 14(iv) APPIHAO) and may even do so without revealing the existence of such information (Article 17 APPIHAO). Likewise, while an individual may request suspension of use or deletion pursuant to Article 36(1)(i) APPIHAO in case the Administrative Organ has obtained the information unlawfully or retains/uses it beyond what is necessary to achieve the specified purpose, the authority may reject the request if it finds that the suspension of use "is likely to hinder the proper execution of the affairs pertaining to the Purpose of Use of the Retained Personal Information due to the nature of the said affairs" (Article 38 APPIHAO). Still, where it is possible to easily separate and exclude portions that are subject to an exception, Administrative Organs are required to grant at least partial disclosure (see e.g. Article 15(1) APPIHAO) (140).

Finally, on the basis of the available information about the Japanese legal order, including the representations, assurances and commitments from the Japanese government contained in Annex II, the Commission considers that any interference with the fundamental rights of the individuals whose personal data are transferred from the European Union to Japan by Japanese public authorities for public interest purposes, in particular criminal law enforcement and national security purposes, will be limited to what is strictly necessary to achieve the legitimate objective in question, and that effective legal protection against such interference exists.

Member States and their organs are required to take the measures necessary to comply with acts of the Union institutions, as the latter are presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality. Consequently, a Commission adequacy decision adopted pursuant to Article 45(3) of Regulation (EU) 2016/679 is binding on all organs of the Member States to which it is addressed, including their independent supervisory authorities. At the same time, as explained by the Court of Justice in the Schrems judgment (148) and recognised in Article 58(5) of the Regulation, where a DPA questions, including upon a complaint, the compatibility of a Commission adequacy decision with the fundamental rights of the individual to privacy and data protection, national law must provide it with a legal remedy to put those objections before a national court which, in case of doubts, must stay proceedings and make a reference for a preliminary ruling to the Court of Justice (149).

The Commission should also consider initiating the procedure leading to the amendment, suspension or repeal of this Decision if, in the context of the Joint Review or otherwise, the competent Japanese authorities fail to provide the information or clarifications necessary for the assessment of the level of protection afforded to personal data transferred from the European Union to Japan or compliance with this Decision. In this respect, the Commission should take into account the extent to which the relevant information can be obtained from other sources.