Personal Data Transfers Rules and Restrictions in Japan
- 30.07.2022
- Data Privacy
Elena Riazanova
CIPP/E, CIPM, CIPP/A, MA International Business Law
In this article we will provide some information and guidance to organizations doing business in Japan on transferring personal data under the Act on the Protection of Personal Information and required steps to protect personal data transferred to third-party service providers located inside and outside of Japan.
The Act on the Protection of Personal Information (APPI) regulates the collection, use, and handling of personal information in Japan. The Personal Information Protection Commission (Commission) enforces the APPI and issues administrative guidelines covering all industries and sectors.
Table of Contents
Applicability and Jurisdictional Scope
The APPI applies to private business operators (data controllers) under many other jurisdictions’ data protection laws) using personal information databases in Japan for business purposes (Article 2(5), APPI). The APPI defines a personal information database as a computer-searchable or easily searchable collection of personal information (Article 2(4), APPI).
The APPI does not use the term “data processors” but contains rules applicable to third parties processing personal information databases on an operator’s behalf.
Similarly to GDPR, the APPI applies extraterritorially when operators handle, outside of Japan, personal information obtained from data subjects residing in Japan in connection with providing goods or services (Article 75, APPI).
The APPI defines Personal data as personal information comprising a personal information database (a computer-searchable or easily searchable collection of personal information) (Articles 2(4) and 2(6), APPI).
🔹 health;
🔹 criminal record and damages suffered by a crime;
🔹 race;
🔹 religion;
🔹 social status;
🔹 other sensitive personal information prescribed by Cabinet Order requiring special care to avoid unfair discrimination, prejudice, or another disadvantage.
Article: Navigating the Jurisdictional Chaos: An International Law Perspective on the Extraterritorial Application of Data Protection Laws
Data Transfer Restrictions
The APPI contains restrictions on transfers to:
🔹 Third parties that process personal data on data controller’s behalf (data processors).
🔹 Recipients in countries the Commission has not deemed to provide adequate privacy protection.
Transfers to Service Providers
Organizations may enter into data processing agreements, but they must ensure the third-party service provider complies with the APPI to protect the outsourcing operator.
Cross-Border Transfers
Under the APPI, operators may transfer personal information outside Japan only if the third-party transferee either:
1. Is in a country that the European Commission determined has the same level of protection for personal information as Japan, namely:
• the European Economic Area (EEA) (Personal Information Protection Commission: The framework for mutual and smooth transfer of personal data between Japan and the European Union has come into force);
• the UK (Personal Information Protection Commission: Maintaining a framework for the smooth transfer of personal data between Japan and the UK).
2. Has established a system to continuously ensure that it undertakes the same level of protective measures the APPI requires. Under the Guidelines, this exception applies if:
• the operator and third party enter into a data transfer agreement ensuring that the third party undertakes the necessary protective measures;
• the third party is an intra-group affiliate, the operator and the third party may rely on privacy statements or internal policies applicable to the group that they have appropriately drafted and enforced;
• an internationally recognized framework of personal data protection, such as the Asia-Pacific Economic Cooperation Cross Border Privacy Rules System, has certified the foreign third party.
(Article 24, APPI, Article 11-2, Enforcement Rules, and Guidelines on the Act on the Protection of Personal Information: Providing to a Third Party in a Foreign Country at 8 to 33).
Start your privacy journey with the industry's gold standard.
Enroll in the GDPR Data Privacy Professional course to explore the first comprehensive privacy law that inspired dozens of countries to develop their own data protection legislation.
Exceptions to Cross-Border Transfer Restrictions
The APPI provides certain exceptions that permit cross-border personal data transfers to jurisdictions that do not have the same level of data protection as the APPI. Operators may transfer personal data cross border if:
1. The data subject consents to the transfer.
2. Other Japanese laws permit the transfer.
3. The transfer is necessary to:
• protect a person’s life, body, or property and it is difficult to obtain the data subject’s consent;
• promote public health or the health of children and it is difficult to obtain data subject’s consent; or
• cooperate with national or local government authorities or entrusted persons in their performance of affairs under laws and regulations and obtaining the data subject’s consent interferes with the performance of those affairs.
(Article 28 APPI)
These mechanisms apply equally to transfers between related corporate entities or to and from unrelated third parties.
Guidance for Operators (controllers) Transferring Personal Data Outside Japan
Once a basis to transfer personal data outside Japan is identified and documented, operators (data controllers) should take further steps to protect personal data and comply with the APPI’s requirements including:
🔹 Performing vendor due diligence before any engagement.
🔹 Notification of the data subjects about the transfer.
🔹 Development and implementation of contract terms that support the operator’s privacy and information security programs and comply with legal requirements.
🔹 Engaging in regular vendor oversight and contract enforcement.
We help establish systematic personal data protection practices through training and consulting services. Consulting services on data privacy according to GDPR, ISO 27701 and other international standards. EU Representative Services under GDPR is a pay-as-you-go service where representation is free during periods without data subject requests or communication with supervisory authorities. The service remains free if the company has not significantly altered its data processing practices since its onboarding process. A fundamental course that covers all aspects of GDPR and teaches how to apply them in practice. Privacy training programs for teams both in live online and e-learning formats with diverse level of depth. Customizable and interactive solution for fair price.Personal Data Protection Help and Support under GDPR and National Laws
Reach Data Privacy & AI Compliance
Fill in the form and get a free consultation.
- Implementation of 7+ legal frameworks.
- Individual and corporate training on the GDPR, and international standards.
- Development of personal data protection systems within organizations.
- Custom services upon request.
