Provision of personal data to third parties in foreign countries
As the business environment becomes increasingly globalized, Japanese companies are feeling its impact. Notably, there is a growing trend of outsourcing the management of customer information and other personal data to vendors outside of Japan. This global outsourcing is often pursued for cost reduction, efficiency improvement, or when specific technical expertise is required.
However, such delegation necessitates careful consideration regarding personal information protection. Under Japan’s Personal Information Protection Act, there are clear stipulations regarding the handling of personal data when domestic companies entrust it to third parties overseas. The law mandates that when entrusting personal information to foreign entities, compliance with the data protection laws of that country is required. Additionally, it is necessary to ensure that the overseas vendor has appropriate security measures in place to safeguard the data.
Companies must be knowledgeable about the legal and regulatory requirements related to personal information handling when contracting with overseas vendors. They also need to take measures to ensure data security, privacy protection, and proper data management. This includes regular audits, updating privacy policies, and enhancing communication with vendors. By doing so, companies can enjoy the benefits of international data flow while maintaining customer trust and minimizing legal risks.
The provision of personal data to third parties in foreign countries is stipulated in Article 28 of the Act on the Protection of Personal Information as follows:
(Restrictions on the Provision of Personal Data to Third Parties in Foreign Countries)
Article 28(1)Except cases set forth in the items of paragraph (1) of the preceding Article, before businesses handling personal information provide personal data to a third party (excluding a person that establishes a system that conforms to standards prescribed by Order of the Personal Information Protection Commission as necessary for continuously taking measures equivalent to those that a business handling personal information must take concerning the handling of personal data pursuant to the provisions of this Section (referred to as “equivalent measures” in paragraph (3)); hereinafter the same applies in this paragraph, the following paragraph and Article 31, paragraph (1), item(ii)) in a foreign country (meaning a country or region located outside the territory of Japan; hereinafter the same applies in this Article and Article 31, paragraph (1), item (ii)) (excluding those prescribed by Order of the Personal Information Protection Commission as a foreign country that has established a personal information protection system recognized to have equivalent standards to that in Japan regarding the protection of individual rights and interests; hereinafter the same applies in this Article and Article 31, paragraph (1), item (ii)), the businesses must obtain an identifiable person’s consent to the effect that the person approves the provision to a third party in a foreign country. In this case, the provisions of the preceding Article do not apply.
(2)Before intending to obtain the identifiable person’s consent pursuant to the provisions of the preceding paragraph, businesses handling personal information must provide that person with information on the personal information protection system of the foreign country, on the measures the third party takes for the protection of personal information, and other information that is to serve as a reference to that person, pursuant to Order of the Personal Information Protection Commission.
(3)When having provided personal data to a third party (limited to a person establishing a system prescribed in paragraph (1)) in a foreign country, businesses handling personal information must take necessary measures to ensure continuous implementation of the equivalent measures by the third party, and provide information on the necessary measures to the identifiable person at the request of that person, pursuant to Order of the Personal Information Protection Commission.
https://www.japaneselawtranslation.go.jp/en/laws/view/4241/en#je_ch4sc2at12
In summary, one of the following 1, 2 and 3 conditions must be met, as stipulated in Article 28 of the law, to provide personal data to a third party located in a foreign county:
- Obtain the individual’s consent in advance for the provision to a third party in a foreign country. The information below is to be provided at obtaining a consent.
i. The name of the foreign country to which the information will be transferred.
ii. Information regarding the system for protection of personal information in the said foreign country, obtained through appropriate and reasonable methods.
iii. Information regarding the measures the third party will take for the protection of personal information. - The third party in a foreign country has established an appropriate system. ※
- The third party in a foreign country is located in a country or region recognized by the Personal Information Protection Commission, which are the EU and the UK only (as of April 2022).
#2 above is stipulated by the Article 16 of the Law Enforcement Regulations of the Act on the Protection of Personal Information as copied/translated below:
(個人情報取扱事業者が講ずべきこととされている措置に相当する措置を継続的に講ずるために必要な体制の基準)
第十六条 法第二十八条第一項の個人情報保護委員会規則で定める基準は、次の各号のいずれかに該当することとする。
一 個人情報取扱事業者と個人データの提供を受ける者との間で、当該提供を受ける者における当該個人データの取扱いについて、適切かつ合理的な方法により、法第四章第二節の規定の趣旨に沿った措置の実施が確保されていること。
二 個人データの提供を受ける者が、個人情報の取扱いに係る国際的な枠組みに基づく認定を受けていること。
(Translation)
Law Enforcement Regulations of the Act on the Protection of Personal Information
Regulations
Article 16
The criteria set forth in the Personal Information Protection Commission regulations under Article 28, Paragraph1 of the law shall meet any of the following:(1) Between the businesses handling personal information and the recipient of the personal data, appropriate and reasonable measures in line with the intent of the provisions in Chapter 4, Section 2 of the law are ensured for the handling of such personal data by the recipient.
(2) The recipient of the personal data has been accredited under an international framework concerning the handling of personal information.
https://elaws.e-gov.go.jp/document?lawid=428M60020000003
Here is some additional explanation of the above item (1) and (2):
For (1): Measures in line with the objectives of the Personal Information Protection Law are implemented by the third party in a foreign country, which is ensured through a contracted agreement, common internal regulations, or acquisition of the certification of the APEC Cross-Border Privacy Rules (CBPR) system by the entity providing the personal data.
For (2): The third party in a foreign country is certified based on an international framework for the handling of personal information (e.g., certification based on the APEC Cross-Border Privacy Rules (CBPR) system: The APEC Cross-Border Privacy Rules (CBPR) system is a mechanism to facilitate the cross-border transfer of personal data within the APEC region.)
“Appropriate and reasonable measures in line with the intent of the provisions in Chapter 4, Section 2 of the law” are stipulated in Article 18 of the Law Enforcement Regulations of the Act on the Protection of Personal Information as copied/translated below:
個人情報の保護に関する法律施行規則
(外国にある第三者による相当措置の継続的な実施を確保するために必要な措置等)
第十八条 法第二十八条第三項(法第三十一条第二項において読み替えて準用する場合を 含む。)の規定による外国にある第三者による相当措置の継続的な実施を確保するために必要な措置は、次に掲げる措置とする。
一 当該第三者による相当措置の実施状況並びに当該相当措置の実施に影響を及ぼすおそれのある当該外国の制度の有無及びその内容を、適切かつ合理的な方法により、定期的に確認すること。
二 当該第三者による相当措置の実施に支障が生じたときは、必要かつ適切な措置を講ずるとともに、当該相当措置の継続的な実施の確保が困難となったときは、個人データ (法第三十一条第二項において読み替えて準用する場合にあっては、個人関連情報)の 当該第三者への提供を停止すること。
2 法第二十八条第三項の規定により情報を提供する方法は、電磁的記録の提供による方 法、書面の交付による方法その他の適切な方法とする。
3 個人情報取扱事業者は、法第二十八条第三項の規定による求めを受けたときは、本人に 対し、遅滞なく、次に掲げる事項について情報提供しなければならない。ただし、情報提 供することにより当該個人情報取扱事業者の業務の適正な実施に著しい支障を及ぼすお それがある場合は、その全部又は一部を提供しないことができる。
一 当該第三者による法第二十八条第一項に規定する体制の整備の方法
二 当該第三者が実施する相当措置の概要
三 第一項第一号の規定による確認の頻度及び方法
四 当該外国の名称
五 当該第三者による相当措置の実施に影響を及ぼすおそれのある当該外国の制度の有無及びその概要
六 当該第三者による相当措置の実施に関する支障の有無及びその概要
七 前号の支障に関して第一項第二号の規定により当該個人情報取扱事業者が講ずる措置の概要
4 個人情報取扱事業者は、法第二十八条第三項の規定による求めに係る情報の全部又は一部について提供しない旨の決定をしたときは、本人に対し、遅滞なく、その旨を通知しなければならない。
5 個人情報取扱事業者は、前項の規定により、本人から求められた情報の全部又は一部について提供しない旨を通知する場合には、本人に対し、その理由を説明するよう努めなけ ればならない。
Translation:
(Measures, etc. necessary to ensure the continuous implementation of adequate measures by a third party located abroad)
Regulations Article 18
Measures necessary to ensure the continuous implementation of appropriate measures by a third party located abroad pursuant to the provisions of Article 28, Paragraph 3, (including cases where it is applied mutatis mutandis under Article 31, Paragraph 2) are as follows:I. Regularly verify, in an appropriate and reasonable manner, the status of implementation of the appropriate measures by said third party, as well as the presence and content of any system in the said foreign county that might influence the implementation of such measures.
II. If there are obstacles to the implementation of the appropriate measures by the third party, take necessary and appropriate actions and, if it becomes difficult to ensure the continuous implementation of such appropriate measures, stop providing personal data (or personal related information in cases where it is applied mutatis mutandis under Article 31, Paragraph 2) to the said third party.
2. The method of providing information pursuant to the provisions of Article 28, Paragraph 3 includes electronic record provision, written documentation, and other appropriate methods.
3. When a business handling personal information (a personal information handler) receives a request pursuant to the provisions of Article 28, Paragraph 3, they must promptly provide the individual with the following information. However, if providing such information might significantly hinder the proper execution of the business of the personal information handler, they may refrain from providing all or part of it:
i. Method of system establishment as stipulated in Article 28, Paragraph 1 by the third party.
ii. Overview of the appropriate measures implemented by the third party.
iii. Frequency and method of verification pursuant to item 1 of paragraph I.
iv. Name of the said foreign country.
v. Presence and overview of any system in the said foreign county that might influence the implementation of such appropriate measures by the third party.
vi. Presence and overview of any obstacles regarding the implementation of such appropriate measures by the third party.
vii. Overview of the measures taken by the personal information handler in accordance with the provisions of item 2 of paragraph 1 regarding the obstacles in the previous item.4. If a personal information handler decides not to provide all or part of the information concerning the request pursuant to the provisions of Article 28, Paragraph 3, they must promptly notify the individual of this decision.
5. When a personal information handler notifies an individual that they will not provide all or part of the requested information pursuant to the previous paragraph, they must strive to explain the reason for such a decision to the individual.
https://www.ppc.go.jp/files/pdf/personal_commissionrules.pdf
Businesses handling personal information in a foreign country has the same obligations as those in Japan, as stipulated in the ACT Chapter 4 Section 2, Obligations of Businesses Handling Personal Information and Businesses handling Information Related to Personal Information, from Article 17 through Article 40.
https://www.japaneselawtranslation.go.jp/en/laws/view/4241/en#je_ch4sc2at1