In the following, we will deal with the details of the cross-border transfer rules. Please refer to Part I to this newsletter for a general introduction of the proposed amendment to the ministerial ordinances of the Act on the Protection of Personal Information (“APPI”)1 , Part II for an overview of the data breach notification in the case of Data Breach Incidents2 , Part III for the details of pseudonymously processed information3 , and Part IV for an outline of Individual Related Information4 . *The amendment to the ministerial ordinances of the APPI was finalized and published on March 24, 2021. There are no changes from the proposal.
An enhanced framework to protect personal data in the context of transfers of personal data to third parties outside of Japan has been included in the 2020 Amendment. Under the 2020 Amendment:
- When a business operator intends to obtain consent from the relevant data subjects for a transfer of personal data to a third party outside of Japan, the business operator must disclose to the relevant data subjects:
- the legal system for protection of personal information in the foreign country to which the personal data will be transferred;
- specific measures to protect personal information that are being or will be taken by the third party; and
- other information that may be helpful to the relevant data subjects.
- When a business operator transfers personal data to a third party outside of Japan based on a certain system such as a data transfer agreement or group internal rules that require the third party to take equivalent measures to ensure a certain level of personal information protection prescribed in the Enforcement Rules for the APPI, the business operator is required to establish a necessary means for ensuring the continuous implementation of the equivalent measures by the third party and provide information relating to such necessary means upon a data subject’s request.
With regard to the first point (the obligation of a business operator to provide information) stated above, the proposal provides that a business operator must disclose:
- the name of the country in which the third party is located (if the business operator is unable to specify the name, (i) the fact that it is unable to specify it and the reason thereof, and (ii) if any, other information that may be helpful to the relevant data subjects).
- information relating to the legal system for protection of personal information in the foreign country obtained by an appropriate and reasonable method; and
- information relating to specific measures to protect personal information that are being or will be taken by the receiving person or entity (if the business operator is unable to specify the information, the fact that it is unable to specify and the reason thereof).
For the second point above (the obligation of a business operator to establish a necessary means), under the proposal, a “necessary means” must include:
- periodic confirmation by an appropriate and reasonable method as to:
- the status of implementation of equivalent measure by the third party; and
- the systems which may affect such status in the country where the third party is located (if any);
- the taking of necessary and appropriate measure if there is a problem in the implementation of equivalent measure; and
- cessation of transfer of personal data to such third party if it becomes difficult to ensure continuous implementation of equivalent measure.
The proposal also stipulates the following information relating to the necessary means which is required to be disclosed upon request by a data subject:
- the method of establishing a system such as a data transfer agreement or group internal rules;
- an outline of the equivalent measure implemented by a third party outside Japan;
- the frequency and method of periodic confirmation by the business operator;
- the name of the country in which the third party is located;
- an outline of the systems which may affect the status of implementation of the equivalent measure by the third party in the country where the third party is located (if any);
- an outline of the problems regarding implementation of the equivalent measure by the third party (if any); and
- an outline of the measures to resolve such problems taken by the business operator.
However, if the provision of the information is likely to interfere seriously with the business operator’s proper implementation of its business operation, a business operator may refuse to provide all or part of the information. In such case, the business operator shall endeavor to explain the reason to the data subject.
With respect to the topic of international data transfer, a lot of issues could arise. Answers by the Personal Information Protection Committee (“PPC”) to the questions made during public consultation for the proposal (556 Q&As, 361 pages!!) might resolve some of the issues; however, many outstanding issues will remain. It would likely be beneficial to consult the revision of the PPC guidelines and Q&As to be publicized in the coming summer. For example, the PPC guidelines currently being revised will likely specify further details regarding what type of summary of the legal system for the protection of personal information will be required.