Under the APPI, no specific distinction is drawn between the obligations imposed on controllers and processors. The absence of this distinction does not affect the level of protection because all PIHBOs are subject to all provisions of the Act. A PIHBO that entrusts the handling of personal data to a trustee (the equivalent of a processor under the GDPR) remains subject to the obligations under the APPI and Supplementary Rules with regard to the data it has entrusted. Additionally, under Article 22 of the APPI, it is bound to "exercise necessary and appropriate supervision" over the trustee. In turn, as the PPC has confirmed, the trustee is itself bound by all the obligations in the APPI and the Supplementary Rules.

Article 76 of the APPI excludes certain types of data processing from the application of Chapter IV of the Act, which contains the central data protection provisions (basic principles, obligations of business operators, individual rights, supervision by the PPC). Processing covered by the sectoral exclusion in Article 76 is also exempted from the enforcement powers of the PPC, pursuant to Article 43(2) of the APPI (24).

Under the accountability principle, entities processing data are required to put in place appropriate technical and organisational measures to effectively comply with their data protection obligations and be able to demonstrate such compliance, in particular to the competent supervisory authority.

Second, in the case where an alleged infringement does not concern individual rights under Articles 28, 29 and 30 but general data protection principles or obligations of the PIHBO, the concerned individual may bring a civil action against the business operator based on the torts provisions of the Japanese Civil Code, especially Article 709. While a lawsuit under Article 709 requires, aside from fault (intention or negligence), a demonstration of harm, according to Article 710 of the Civil Code such harm may be both material and immaterial. No limitation is imposed as to the amount of compensation.

Although not all provisions of Chapter IV, Section 1 of the APPI are listed in Article 42(1) – which also determines the scope of application of Article 42(2) – this can be explained by the fact that certain of those provisions do not concern obligations of the PIHBO (59) and that all essential protections are already afforded by other provisions that are included in that list. For instance, although Article 15 (requiring the PIHBO to set the utilisation purpose and process the relevant personal information exclusively within its scope) is not mentioned, failure to observe this requirement can give ground to a recommendation based on a violation of Article 16(1) (prohibiting the PIHBO to process personal information beyond what is necessary to achieve the utilisation purpose, unless it obtains the data subject's consent) (60). Another provision not listed in Article 42(1) is Article 19 of the APPI on data accuracy and retention. Non-compliance with that provision can be enforced either as a violation of Article 16(1) or based on a violation of Article 29(2), if the individual concerned asks for the correction or deletion of erroneous or excessive data and the PIHBO refuses to satisfy the request. As regards the rights of the data subject according to Articles 28(1), 29(1) and 30(1), oversight by the PPC is ensured by granting it enforcement powers with respect to the corresponding obligations of the PIHBO laid down in those Articles.

Aside from these limitations for the exercise of public authority, business operators themselves are expected to check ("confirm") the necessity and "rationality" of the provision to a third party (99). This includes the question whether they are prevented by law from cooperating. Such conflicting legal obligations may in particular follow from confidentiality obligations such as Article 134 of the Penal Code (concerning the relationship between a doctor, lawyer, priest, etc. and his/her client). Also, "any person engaged in the telecommunication business shall, while in office, maintain the secrets of others that have come to be known with respect to communications being handled by the telecommunication carrier" (Article 4(2) of the Telecommunication Business Act). This obligation is backed-up by the sanction stipulated in Article 179 of the Telecommunication Business Act, according to which any person that has violated the secrecy of communications being handled by a telecommunications carrier shall be guilty of a criminal offence and punished by imprisonment with labour of up to two years, or to a fine of not more than one million yen (100). While this requirement is not absolute and in particular allows for measures infringing the secrecy of communications that constitute "justifiable acts" within the meaning of Article 35 of the Penal Code (101), this exception does not cover the response to non-compulsory requests by public authorities for the disclosure of electronic information pursuant to Article 197(2) of the CCP.

Second, according to Article 62 of the Constitution, each House of the Japanese parliament (the Diet) may conduct investigations in relation to the government, including with respect to the lawfulness of information collection by the police. To that end, it may demand the presence and testimony of witnesses, and/or the production of records. Those powers of inquiry are further specified in the Diet Law, in particular Chapter XII. In particular, Article 104 of the Diet Law provides that the Cabinet, public agencies and other parts of the government "must comply with the requests of a House or any of its Committees for the production of reports and records necessary for consideration of investigation." Refusal to comply is allowed only if the government provides a plausible reason found acceptable by the Diet, or upon issuance of a formal declaration that the production of the reports or records would be "gravely detrimental to the national interest" (106). In addition, Diet members may ask written questions to the Cabinet (Articles 74, 75 of the Diet Law), and in the past such "written inquiries" have also addressed the handling of personal information by the administration (107). The Diet's role in supervising the executive is supported by reporting obligations, for instance pursuant to Article 29 of the Wiretapping Act.

First, the Japanese Diet through its specialised committees may examine the lawfulness of investigations based on its powers of parliamentary scrutiny (Article 62 of the Constitution, Article 104 of the Diet Law; see recital 134). This oversight function is supported by specific reporting obligations on the activities carried out under some of the aforementioned legal bases (133).