In this article we will provide some information and guidance to organizations doing business in Japan on transferring personal data under the Act on the Protection of Personal Information and required steps to protect personal data transferred to third-party service providers located inside and outside of Japan.
The Act on the Protection of Personal Information (APPI) regulates the collection, use, and handling of personal information in Japan. The Personal Information Protection Commission (Commission) enforces the APPI and issues administrative guidelines covering all industries and sectors.
Applicability and Jurisdictional Scope
The APPI applies to private business operators (data controllers) under many other jurisdictions’ data protection laws) using personal information databases in Japan for business purposes (Article 2(5), APPI). The APPI defines a personal information database as a computer-searchable or easily searchable collection of personal information (Article 2(4), APPI).
The APPI does not use the term “data processors” but contains rules applicable to third parties processing personal information databases on an operator’s behalf.
Similarly to GDPR, the APPI applies extraterritorially when operators handle, outside of Japan, personal information obtained from data subjects residing in Japan in connection with providing goods or services (Article 75, APPI).
The APPI defines Personal data as personal information comprising a personal information database (a computer-searchable or easily searchable collection of personal information) (Articles 2(4) and 2(6), APPI).
According to the Article 2(3) APPI; Article 2, Cabinet Order, the sensitive information is information relating to:
Data Transfer Restrictions
The APPI contains restrictions on transfers to:
Transfers to Service Providers
Organizations may enter into data processing agreements, but they must ensure the third-party service provider complies with the APPI to protect the outsourcing operator.
Under the APPI, operators may transfer personal information outside Japan only if the third-party transferee either:
1. Is in a country that the European Commission determined has the same level of protection for personal information as Japan, namely:
- the European Economic Area (EEA) (Personal Information Protection Commission: The framework for mutual and smooth transfer of personal data between Japan and the European Union has come into force);
- the UK (Personal Information Protection Commission: Maintaining a framework for the smooth transfer of personal data between Japan and the UK).
2. Has established a system to continuously ensure that it undertakes the same level of protective measures the APPI requires. Under the Guidelines, this exception applies if:
- the operator and third party enter into a data transfer agreement ensuring that the third party undertakes the necessary protective measures;
- the third party is an intra-group affiliate, the operator and the third party may rely on privacy statements or internal policies applicable to the group that they have appropriately drafted and enforced;
- an internationally recognized framework of personal data protection, such as the Asia-Pacific Economic Cooperation Cross Border Privacy Rules System, has certified the foreign third party.
(Article 24, APPI, Article 11-2, Enforcement Rules, and Guidelines on the Act on the Protection of Personal Information: Providing to a Third Party in a Foreign Country at 8 to 33.)
Exceptions to Cross-Border Transfer Restrictions
The APPI provides certain exceptions that permit cross-border personal data transfers to jurisdictions that do not have the same level of data protection as the APPI. Operators may transfer personal data cross border if:
1. The data subject consents to the transfer.
2. Other Japanese laws permit the transfer.
3. The transfer is necessary to:
- protect a person’s life, body, or property and it is difficult to obtain the data subject’s consent;
- promote public health or the health of children and it is difficult to obtain data subject’s consent; or
- cooperate with national or local government authorities or entrusted persons in their performance of affairs under laws and regulations and obtaining the data subject’s consent interferes with the performance of those affairs.
(Articles 23(1) and 24, APPI.)
These mechanisms apply equally to transfers between related corporate entities or to and from unrelated third parties.
Guidance for Operators (controllers) Transferring Personal Data Outside Japan
Once a basis to transfer personal data outside Japan is identified and documented, operators (data controllers) should take further steps to protect personal data and comply with the APPI’s requirements including: