Data transfer outside Japan

In November 2016, Japan’s Personal Information Protection Commission published guidelines on the implementation of the new amendment to the main body of Japan’s privacy law, the Act on the Protection of Personal Information (the “Act”), effective from May 30, 2017. These guidelines offer comprehensive guidance to companies that transfer personal data internationally and help in-house and external counsels understand how the Commission interprets and intends to implement the amended Act.

Before the amendment, the transfer of data to foreign countries was not specifically addressed in Japanese privacy law. Due to the limitation on extraterritorial application, data transfer outside Japan has rarely invited legal sanctions. However, the amended Act requires data holders to obtain consent from individuals to transfer personal data to third parties in foreign countries (with some exceptions discussed below). According to the guidelines, comprehensive consent for data transfer to a third party, without indicating that the third party recipient is in a foreign jurisdiction, may not be sufficient for international data transfer. This applies to all customer or employee data used in databases.

If you manage personal data outside Japan through your affiliate company or a service vendor, you may want to check if your privacy policy tells individuals that their personal information will be shared with or transferred to a third party in a foreign country. If the policy specifically identifies the affiliate or vendor in a foreign country with which you share personal information, consent taken under the policy will likely be valid after the amendment.

If you have not obtained explicit consent to transfer data internationally, you should ensure that recipients of the data introduce adequate safeguards consistent with Japanese legal standards as set forth by the Commission. Alternatively, you may be exempted from obtaining consent if data is transferred internationally for certain compelling reasons (e.g., as required by law or to protect the life or body of an individual). Please note that outsourcing or joint use of data does not qualify for exemptions.

According to the guidelines, to introduce the adequate safeguards mentioned above, providers of personal data need to ensure that foreign recipients of such data adopt measures equivalent to what Japanese data holders are required—more specifically, Articles 15 through 35 of the Act, as applicable. If a data provider is certified under the APEC Cross Border Privacy Rules (CBPR), the provider will likely be considered having adopted the necessary measures. If the recipient has such a certification, the provider will definitely meet the adequate safeguards.

The guidelines also state that data providers can adhere to adopt the measures by having properly drafted agreements or appropriate internal compliance policies. While these documents do not necessarily need to address every single item in Articles 15 through 35 of the Act, the Commission appears to think that such documents should provide more than a simple statement that recipients of personal data comply with Japanese privacy law. To date, the Commission has not published model contracts.

Data transmission in violation of the Act will be subject to a suspension order by the Commission. We do not know yet how actively international data transmission will be policed going forward. Nevertheless, companies affected by this amendment should be well prepared by the effective date.

Update: On 23 January 2019, the Commission published a new regulation that exempts EU from application of these rules. This means that EU countries do not fall under “foreign countries” for this purpose, and data transfer to these countries are treated similarly to data transfer within Japan.

Disclaimer
The information contained in this newsletter is for informational purposes only and should not be construed as legal advice on any matter. The material herein may not reflect the most current legal developments. The content and interpretation of the law addressed herein is subject to revision.

We disclaim all liability in respect to actions taken or not taken based on any or all the contents of this newsletter to the fullest extent permitted by law. Do not act or refrain from acting upon this information without seeking professional legal counsel.

© 2017 Law Office of Hajime Iwaki. All rights reserved.