These rights are subject to three types of restrictions, relating to the individual's own or third parties’ rights and interests (51), serious interference with the PIHBO's business operations (52) as well as cases in which disclosure would violate other laws or regulations (53). The situations in which these restrictions would apply are similar to some of the exceptions applicable under Article 23(1) of Regulation (EU) 2016/679, which allows for restrictions of the rights of individuals for reasons related to the "protection of the data subject or the rights and freedoms of others" or "other important objectives of general public interest". Although the category of cases in which disclosure would violate "other laws or regulations" may appear broad, laws and regulations providing for limitations in this regard must respect the constitutional right to privacy and may impose restrictions only to the extent that the exercise of this right would "interfere with the public welfare" (54). This requires a balancing of the interests at stake.

Third, pursuant to Article 30(1) and (2) of the APPI a data subject has a right to request from a PIHBO to discontinue using personal information, or to delete such information, when it is handled in violation of Article 16 (regarding purpose limitation) or has been improperly acquired in violation of Article 17 of the APPI (regarding acquisition by deceit, other improper means or, in case of sensitive data, without consent). Likewise, under Article 30(3) and (4) of the APPI, the individual has a right to request from the PIHBO to cease the provision of the information to a third party where this would violate the provisions of Article 23(1) or Article 24 of the APPI (regarding third party provision, including international transfers).

Pursuant to Article 42(1) of the APPI, the PPC can, if it recognizes that there is a "need for protecting an individual's rights and interests in cases where a [PIHBO] has violated" specific APPI provisions, issue a recommendation to "suspend the act of violating or take other necessary action to rectify the violation". Such a recommendation is not binding, but opens the way for a binding order pursuant to Article 42(2) of the APPI. Based on this provision, if the recommendation is not followed "without legitimate grounds" and the PPC "recognises that a serious infringement of an individual's rights and interests is imminent", it can order the PIHBO to take action in line with the recommendation.

Importantly, Article 21(2) of the Constitution guarantees the secrecy of all means of communication, with limitations only allowed by legislation on public interest grounds. Article 4 of the Telecommunications Business Act, according to which the secrecy of communications handled by a telecommunications carrier shall not be violated, implements this confidentiality requirement at the level of statutory law. This has been interpreted as prohibiting the disclosure of communications information, except with the consent of users or if based on one of the explicit exemptions from criminal liability under the Penal Code (77).

Aside from these limitations for the exercise of public authority, business operators themselves are expected to check ("confirm") the necessity and "rationality" of the provision to a third party (99). This includes the question whether they are prevented by law from cooperating. Such conflicting legal obligations may in particular follow from confidentiality obligations such as Article 134 of the Penal Code (concerning the relationship between a doctor, lawyer, priest, etc. and his/her client). Also, "any person engaged in the telecommunication business shall, while in office, maintain the secrets of others that have come to be known with respect to communications being handled by the telecommunication carrier" (Article 4(2) of the Telecommunication Business Act). This obligation is backed-up by the sanction stipulated in Article 179 of the Telecommunication Business Act, according to which any person that has violated the secrecy of communications being handled by a telecommunications carrier shall be guilty of a criminal offence and punished by imprisonment with labour of up to two years, or to a fine of not more than one million yen (100). While this requirement is not absolute and in particular allows for measures infringing the secrecy of communications that constitute "justifiable acts" within the meaning of Article 35 of the Penal Code (101), this exception does not cover the response to non-compulsory requests by public authorities for the disclosure of electronic information pursuant to Article 197(2) of the CCP.