Regulation (EU) 2016/679 sets out the rules for the transfer of personal data from controllers or processors in the European Union to third countries and international organisations to the extent that such transfers fall within its scope. The rules on international transfers of personal data are laid down in Chapter V of that Regulation, more specifically in Articles 44 to 50. The flow of personal data to and from countries outside the European Union is necessary for the expansion of international cooperation and international trade, while guaranteeing that the level of protection afforded to personal data in the European Union is not undermined.

Pursuant to Article 45(3) of Regulation (EU) 2016/679, the Commission may decide, by means of an implementing act, that a third country, a territory or one or more specified sectors within a third country or an international organisation ensure an adequate level of protection. Under this condition, transfers of personal data to that third country, territory, sector or international organisation can take place without the need to obtain any further authorisation, as provided for in Article 45(1) and recital 103 of the Regulation.

The Commission has carefully analysed Japanese law and practice. Based on the findings developed in recitals 6 to 175, the Commission concludes that Japan ensures an adequate level of protection for personal data transferred to organisations falling within the scope of application of the Act on the Protection of Personal Information (5) and subject to the additional conditions referred to in this Decision. These conditions are laid down in the Supplementary Rules (Annex I) adopted by the Personal Information Protection Commission (PPC) (6) and the official representations, assurances and commitments by the Japanese government to the European Commission (Annex II).

This Decision has the effect that transfers from a controller or processor in the European Economic Area (EEA) (7) to such organisations in Japan may take place without the need to obtain any further authorisation. This Decision does not affect the direct application of Regulation (EU) 2016/679 to such organisations when the conditions of its Article 3 are fulfilled.

On the basis of Article 6 of the APPI and that Cabinet Decision, the PPC on 15 June 2018 adopted "Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU based on an Adequacy Decision" (the "Supplementary Rules") with a view to enhance the protection of personal information transferred from the European Union to Japan based on the present adequacy decision. Those Supplementary Rules are legally binding on Japanese business operators and enforceable, both by the PPC and by courts, in the same way as the provisions of the APPI that the Rules supplement with stricter and/or more detailed rules (12). As Japanese business operators receiving and/or further processing personal data from the European Union will be under a legal obligation to comply with the Supplementary Rules, they will need to ensure (e.g. by technical ("tagging") or organisational means (storing in a dedicated database)) that they can identify such personal data throughout their "life cycle" (13). In the following sections, the content of each Supplementary Rule is analysed as part of the assessment of the articles of the APPI it complements.

The scope of application of the APPI is determined by the defined concepts of Personal Information, Personal Data and Personal Information Handling Business Operator. At the same time, the APPI provides for some important exemptions from its scope, most importantly for Anonymously Processed Personal Data and for specific types of processing by certain operators. While the APPI does not use the term "processing", it relies on the equivalent concept of "handling" which, according to the information received from the PPC, covers "any act on personal data" including the acquisition, input, accumulation, organisation, storage, editing/processing, renewal, erasure, output, utilization, or provision of personal information.

According to the PPC Guidelines, "business" means any "conduct aimed at exercising, for a certain goal, regardless of whether or not for profit, repeatedly and continuously, a socially recognised enterprise". Organisations without legal personality (such as de facto associations) or individuals are considered as a PIHBO if they provide (use) a personal information database etc. for their business (23). Therefore, the notion of "business" under the APPI is very broad in that it includes not only for-profit but also not-for-profit activities by all kinds of organisations and individuals. Moreover, "use in business" also covers personal information that is not used in the operator's (external) commercial relationships, but internally, for instance the processing of employee data.

The relevant categories for the sectoral exclusion in Article 76 of the APPI are defined by using a double criterion based on the type of PIHBO processing the personal information and the purpose of processing. More specifically, the exclusion applies to: (i) broadcasting institutions, newspaper publishers, communication agencies or other press organisations (including any individuals carrying out press activities as their business) to the extent they process personal information for press purposes; (ii) persons engaged in professional writing, to the extent this involves personal information; (iii) universities and any other organisations or groups aimed at academic studies, or any person belonging to such an organisation, to the extent they process personal information for the purpose of academic studies; (iv) religious bodies to the extent they process personal information for purposes of religious activity (including all related activities); and (v) political bodies to the extent they process personal information for the purposes of their political activity (including all related activities). Processing of personal information for one of the purposes listed in Article 76 by other types of PIHBOs as well as processing of personal information by one of the listed PIHBOs for other purposes, for instance in the employment context, remain covered by the provisions of Chapter IV.

Personal data should be processed in a manner that ensures their security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. To that end, business operators should take appropriate technical or organisational measures to protect personal data from possible threats. These measures should be assessed taking into consideration the state of the art and related costs.

This principle is implemented in Japanese law by Article 20 of the APPI, providing that a PIHBO "shall take necessary and appropriate action for the security control of personal data including preventing the leakage, loss or damage of its handled personal data." The PPC Guidelines explain the measures to be taken, including the methods for the establishment of basic policies, data handling rules and various "control actions" (regarding organisational safety as well as human, physical and technological security) (35). In addition, the PPC Guidelines and a dedicated Notice (Appendix 8 on "Contents of the safety management measures that have to be taken") published by the PPC provide more details on measures concerning security incidents involving, for example, the leakage of personal information, as part of the security management measures to be taken by PIHBOs (36).

Under the accountability principle, entities processing data are required to put in place appropriate technical and organisational measures to effectively comply with their data protection obligations and be able to demonstrate such compliance, in particular to the competent supervisory authority.

Finally, the APPI creates a framework for the participation of sectoral industry organisations in ensuring a high level of compliance (see Chapter IV, Section 4). The role of such accredited personal information protection organisations (40) is to promote the protection of personal information by supporting businesses through their expertise, but also to contribute to the implementation of safeguards, notably by handling individual complaints and helping to solve related conflicts. To that end, they may request participating PIHBOs, if appropriate, to adopt necessary measures (41). Moreover, in case of data breaches or other security incidents PHIBOs shall in principle inform the PPC as well as the data subject (or the public) and take necessary action, including measures to minimise any damage and to prevent any recurrence of similar incidents (42). While those are voluntary schemes, on 10 August 2017 the PPC had listed 44 organisations, with the largest one, Japan Information Processing and Development Center (JIPDEC), alone counting 15 436 participating business operators (43). Accredited schemes include sector associations such as for instance the Japan Securities Dealers Association, the Japan Association of Car Driving Schools or the Association of Marriage Brokers (44).

Accredited personal information protection organisations submit annual reports on their operations. According to the "Overview of the Implementation Status [of] the APPI in FY 2015" published by the PPC, accredited personal information protection organisations received a total of 442 complaints, required 123 explanations from business operators under their jurisdiction, requested documents from these operators in 41 cases, gave 181 instructions and made two recommendations (45).

To the extent such a request is directed at a business operator and concerns personal information, the business operator has to comply with the requirements of the APPI. According to Article 23(1) of the APPI, business operators may disclose personal information to third parties without consent of the individual concerned only in certain cases, including where the disclosure is "based on laws and regulations" (89). In the area of criminal law enforcement, the legal basis for such requests is provided by Article 197(2) of the CCP according to which "private organisations may be asked to report on necessary matters relating to the investigation." Since such an "enquiry sheet" is permissible only as part of a criminal investigation, it always presupposes a concrete suspicion of an already committed crime (90). Moreover, since such investigations are generally carried out by the Prefectural Police, the limitations pursuant to Article 2(2) of the Police Law (91) apply. According to that provision, the activities of the police are "strictly limited" to the fulfilment of their responsibilities and duties (that is to say the prevention, suppression and investigation of crimes). Moreover, in performing its duties, the police shall act in an impartial, unprejudiced and fair manner and must never abuse its powers "in such a way as to interfere with the rights and liberties of an individual guaranteed in the Constitution of Japan" (which include, as indicated, the right to privacy and data protection) (92).

Finally, the PSIA may carry out investigations under the Subversive Activities Prevention Act ("SAPA") and the Act on the Control of Organisations Which Have Committed Acts of Indiscriminate Mass Murder ("ACO") where such investigations are necessary to prepare the adoption of control measures against certain organisations (126). Under both Acts, upon request by the Director-General of the PSIA the Public Security Examination Commission may issue certain "dispositions" (surveillance/prohibitions in the case of the ACO (127), dissolution/prohibitions in the case of the SAPA (128) and in this context the PSIA may carry out investigations (129). According to the information received, these investigations are always conducted on a voluntary basis, meaning that the PSIA may not force an owner of personal information to provide such information (130). Each time, controls and investigations shall be conducted only to the minimum extent necessary to achieve the control purpose and shall not under any circumstances be carried out to "unreasonably" restrict the rights and freedoms guaranteed under the Constitution of Japan (Article 3(1) of SAPA/ACO). Moreover, according to Article 3(2) of the SAPA/ACO, the PSIA must under no circumstances abuse such controls, or the investigations carried out to prepare such controls. If a Public Security Intelligence Officer has abused his/her authority under the respective Act by forcing a person to do anything which the person is not required to, or by interfering with the exercise of a person's rights, (s)he may be subject to criminal sanctions pursuant to Article 45 SAPA or Article 42 ACO. Finally, both Acts explicitly prescribe that their provisions, including the powers granted therein, shall "not under any circumstances be subject to an expanded interpretation" (Article 2 of SAPA/ACO).