Sign up for the DPO Europe Newsletter
We will share useful materials with you and talk about the latest news from the world of privacy.
Personal Data Transfers Rules and Restrictions in Japan
- Data transfer, Japan
- 30/07/2022
In this article we will provide some information and guidance to organizations doing business in Japan on transferring personal data under the Act on the Protection of Personal Information and required steps to protect personal data transferred to third-party service providers located inside and outside of Japan.
The Act on the Protection of Personal Information (APPI) regulates the collection, use, and handling of personal information in Japan. The Personal Information Protection Commission (Commission) enforces the APPI and issues administrative guidelines covering all industries and sectors.
Applicability and Jurisdictional Scope
The APPI applies to private business operators (data controllers) under many other jurisdictions’ data protection laws) using personal information databases in Japan for business purposes (Article 2(5), APPI). The APPI defines a personal information database as a computer-searchable or easily searchable collection of personal information (Article 2(4), APPI).
The APPI does not use the term “data processors” but contains rules applicable to third parties processing personal information databases on an operator’s behalf.
Similarly to GDPR, the APPI applies extraterritorially when operators handle, outside of Japan, personal information obtained from data subjects residing in Japan in connection with providing goods or services (Article 75, APPI).
The APPI defines Personal data as personal information comprising a personal information database (a computer-searchable or easily searchable collection of personal information) (Articles 2(4) and 2(6), APPI).
- health;
- criminal record and damages suffered by a crime;
- race;
- religion;
- social status;
- other sensitive personal information prescribed by Cabinet Order requiring special care to avoid unfair discrimination, prejudice, or another disadvantage.
Love to work together
We are open to cooperation with developing, enterprising companies.
Data Transfer Restrictions
The APPI contains restrictions on transfers to:
- Third parties that process personal data on data controller’s behalf (data processors).
- Recipients in countries the Commission has not deemed to provide adequate privacy protection.
Transfers to Service Providers
Organizations may enter into data processing agreements, but they must ensure the third-party service provider complies with the APPI to protect the outsourcing operator.
Cross-Border Transfers
Under the APPI, operators may transfer personal information outside Japan only if the third-party transferee either:
1. Is in a country that the European Commission determined has the same level of protection for personal information as Japan, namely:
- the European Economic Area (EEA) (Personal Information Protection Commission: The framework for mutual and smooth transfer of personal data between Japan and the European Union has come into force);
- the UK (Personal Information Protection Commission: Maintaining a framework for the smooth transfer of personal data between Japan and the UK).
2. Has established a system to continuously ensure that it undertakes the same level of protective measures the APPI requires. Under the Guidelines, this exception applies if:
- the operator and third party enter into a data transfer agreement ensuring that the third party undertakes the necessary protective measures;
- the third party is an intra-group affiliate, the operator and the third party may rely on privacy statements or internal policies applicable to the group that they have appropriately drafted and enforced;
- an internationally recognized framework of personal data protection, such as the Asia-Pacific Economic Cooperation Cross Border Privacy Rules System, has certified the foreign third party.
(Article 24, APPI, Article 11-2, Enforcement Rules, and Guidelines on the Act on the Protection of Personal Information: Providing to a Third Party in a Foreign Country at 8 to 33.)
Sign up for the DPO Europe Newsletter
We will share useful materials with you and talk about the latest news from the world of privacy.
Exceptions to Cross-Border Transfer Restrictions
The APPI provides certain exceptions that permit cross-border personal data transfers to jurisdictions that do not have the same level of data protection as the APPI. Operators may transfer personal data cross border if:
1. The data subject consents to the transfer.
2. Other Japanese laws permit the transfer.
3. The transfer is necessary to:
- protect a person’s life, body, or property and it is difficult to obtain the data subject’s consent;
- promote public health or the health of children and it is difficult to obtain data subject’s consent; or
- cooperate with national or local government authorities or entrusted persons in their performance of affairs under laws and regulations and obtaining the data subject’s consent interferes with the performance of those affairs.
(Articles 23(1) and 24, APPI.)
These mechanisms apply equally to transfers between related corporate entities or to and from unrelated third parties.
Guidance for Operators (controllers) Transferring Personal Data Outside Japan
Once a basis to transfer personal data outside Japan is identified and documented, operators (data controllers) should take further steps to protect personal data and comply with the APPI’s requirements including:
- Performing vendor due diligence before any engagement.
- Notification of the data subjects about the transfer.
- Development and implementation of contract terms that support the operator’s privacy and information security programs and comply with legal requirements.
- Engaging in regular vendor oversight and contract enforcement.
© Elena Riazanova
CIPP/E, CIPM, CIPP/A, MA International Business Law
Contact us
Fill out the form and we will contact you as soon as possible!
Our team’s expertise and their qualifications enable us to tackle any challenge related to the implementation of personal data protection and other privacy-related issues.