The Commission has carefully analysed Japanese law and practice. Based on the findings developed in recitals 6 to 175, the Commission concludes that Japan ensures an adequate level of protection for personal data transferred to organisations falling within the scope of application of the Act on the Protection of Personal Information (5) and subject to the additional conditions referred to in this Decision. These conditions are laid down in the Supplementary Rules (Annex I) adopted by the Personal Information Protection Commission (PPC) (6) and the official representations, assurances and commitments by the Japanese government to the European Commission (Annex II).

Finally, the APPI creates a framework for the participation of sectoral industry organisations in ensuring a high level of compliance (see Chapter IV, Section 4). The role of such accredited personal information protection organisations (40) is to promote the protection of personal information by supporting businesses through their expertise, but also to contribute to the implementation of safeguards, notably by handling individual complaints and helping to solve related conflicts. To that end, they may request participating PIHBOs, if appropriate, to adopt necessary measures (41). Moreover, in case of data breaches or other security incidents PHIBOs shall in principle inform the PPC as well as the data subject (or the public) and take necessary action, including measures to minimise any damage and to prevent any recurrence of similar incidents (42). While those are voluntary schemes, on 10 August 2017 the PPC had listed 44 organisations, with the largest one, Japan Information Processing and Development Center (JIPDEC), alone counting 15 436 participating business operators (43). Accredited schemes include sector associations such as for instance the Japan Securities Dealers Association, the Japan Association of Car Driving Schools or the Association of Marriage Brokers (44).

Accredited personal information protection organisations submit annual reports on their operations. According to the "Overview of the Implementation Status [of] the APPI in FY 2015" published by the PPC, accredited personal information protection organisations received a total of 442 complaints, required 123 explanations from business operators under their jurisdiction, requested documents from these operators in 41 cases, gave 181 instructions and made two recommendations (45).

In any event, the Administrative Organ has to take a written decision within a certain period (30 days, which under certain conditions can be extended by an additional 30 days). If the request is rejected, only partially granted, or if the individual for other reasons considers the conduct of the Administrative Organ to be "illegal or unjust", the individual may request administrative review based on the Administrative Complaint Review Act (141). In such a case, the head of the Administrative Organ deciding on the appeal shall consult the Information Disclosure and Personal Information Protection Review Board (Articles 42, 43 APPIHAO), a specialised, independent board whose members are appointed by the Prime Minister with consent of both Houses of the Diet. According to the information received, the Review Board may carry out an examination (142) and in this respect request the Administrative Organ to provide the retained personal information, including any classified content, as well as further information and documents. While the ultimate report sent to the complainant as well as the Administrative Organ and made public is not legally binding, it is in almost all cases followed (143). Moreover, the individual has the possibility to challenge the appeal decision in court based on the Administrative Case Litigation Act. This opens the way for judicial control of the use of the national security exception(s), including of whether such an exception has been abused or is still justified.