I. Article Synopsis
An extensive amendment to Japan's Act on the Protection of Personal Information (Act No. 57 of 2003, the "Act") was promulgated on September 9, 2015 and will become fully effective on a date that is set by cabinet order and falls before September 9, 2017. The amendment generally increases the burden on data controllers and places new restrictions on exporting personal data from Japan. This article focuses on transferring data between companies and from Japan to foreign countries. References in this article to the Act refer to the amended Act.
II. Restrictions on Provision of Personal Data to Third Parties
As a general rule, a data controller must not provide personal data to a third party without obtaining prior consent from the data subject. Subject to certain exceptions under the Act, a "third party" is a legal entity or natural person other than the data controller, whether abroad or in Japan, and includes affiliated companies of the data controller.
A data controller, however, may provide personal data to a third party without data subject consent where:
(1) The provision is based on Japanese law;
For example, when a retailer transmits consumer data to a manufacturer to aid in a product recall in compliance with the Consumer Product Safety Law (Act No. 31 of 1973) or when a bank reports personal data related to a suspicious transaction to Japan's Financial Services Agency in compliance with the Act on Prevention of Transfer of Criminal Proceeds (Act No. 22 of 2007).
(2) The provision is necessary for the protection of the life, body or property of an individual and it is difficult to obtain the prior consent of the data subject;
For example, where family member contact information is given to a doctor in an emergency situation.
(3) The provision is necessary for public hygiene or promoting the sound growth of children, and it is difficult to obtain the consent of the data subject;
For example, where a school exchanges personal information of delinquent children with a child support center for the benefit of the children.
(4) The provision is in cooperation with the Japanese government and obtaining the consent of the data subject might impede the execution of the operations concerned;
For example, where a data controller voluntarily shares employee personal data with the Japanese National Tax Authority.
(5) The data controller has effectively obtained opt-out consent from the data subject;
Opt-out consent may be obtained from a data subject by registering the opt-out clause with the Japanese government's Personal Information Protection Committee (the "PIPC") and communicating, or making readily available, the following information to the data subject before provision of the personal data to the third party:
- The fact that the personal data will be provided to third parties;
- The items of personal data to be provided to third parties;
- The method of provision to third parties;
- A promise from the data controller to stop provision at the request of the data subject; and
- How the data subject can contact the data controller.
Items (a)-(e) above could be communicated via a public website or publicly viewable bulletin board or by targeted emailing. Opt-out consent is never valid for personal data that contains sensitive information such as race, religion and criminal record. The duty to register with the PIPC was newly imposed by the 2015 amendment to the Act. The PIPC will publicly disclose opt-out clauses that are submitted to it. Opt-out clauses put into use before the amendment takes effect are not exempt from this duty to register.
(6) The disclosee qualifies as a trustee;
A data controller may provide personal data to a trustee (itakusaki) without notifying the data subject because a trustee is not considered a third party under the Act. A trustee is an entity that is entrusted with personal data to perform a task for the data controller, that is restricted from using the personal data for its own purposes, and that uses the personal data only within the purposes of use communicated to the data subject. Common examples of a trustee include an email storage company and a package delivery company.
(7) The personal data is provided due to a merger, etc.; or
A data controller may provide personal data to a third party where the personal data is provided due to a succession of business such as a merger, company split or business transfer. This merger exception applies only when a succession of business actually happens; it does not apply at the due diligence stage of an M&A transaction. If the potential purchaser requests the target company to provide personal data that it holds before consummation of the M&A transaction, the target company is required to enter into an agreement that ensures that the potential purchaser will comply with the Act. The agreement should restrict how the potential purchaser uses the personal data, set forth matters concerning the handling the personal data, require the potential purchaser to create a response plan in case of a personal data leak, and provide for how to treat the personal data if the contemplated transaction does not close. Often times, a target company can comply with its duty to not provide personal data to third parties by redacting the documents it provides for due diligence review so as to make it impossible to identify individuals from the documents.
(8) The disclosee qualifies as a joint user.
Transfer of personal data to an entity that would otherwise be a third party is allowed if the entity qualifies as a joint user (kyoudou riyousha). An entity is a joint user once the data controller communicates the following information to the data subject:
- The type of personal data to be jointly used;
- The scope of the joint users;
- The purpose of use of the jointly used personal data; and
- Contact information for the entity in charge of managing the jointly used personal data.
The joint user exception was designed to be used among group companies.
III. New Restrictions on Exporting Personal Data from Japan
In contrast to EU data protection law, the Act did not originally place restrictions specifically on the transfer of personal data to foreign countries. The 2015 amendment to the Act introduced restrictions on transferring data abroad.
If a data controller inside Japan desires to transfer personal data to a separate legal entity outside Japan (including a member of the same group of companies), the data controller must either (1) obtain the data subject's consent, or, (2) in addition to fulfilling one of the requirements set forth in Section II above, either
- the foreign jurisdiction must be designated by the PIPC as having a data protection regime up to Japanese standards; or
- The specific third-party transferee upholds data protection standards to be determined by the PIPC.
There are no reporting requirements related to transferring personal data abroad.
IV. New Data Transfer Documentation Requirements
(1) Transferring personal data
When a data controller transfers personal data to a third party, the transferor must document (i) the transfer date, (ii) the recipient's name and (iii) other recipient information to be determined by the PIPC. The transferor must maintain these records for a period to be determined by the PIPC.
(2) Receiving personal data
When a data controller receives personal data from a third party, the recipient must ascertain (i) the transferor's name (and the transferor's representative's name if the transferor is a legal entity), (ii) the transferor's address and (iii) how the transferor came to possess the personal data. In addition, the recipient must document (i) the date of receipt of the personal data, (ii) the fact that the recipient actually ascertained the matters required to be ascertained, and (iii) other information to be determined by the PIPC. The recipient must maintain these records for a period to be determined by the PIPC.