On 12 June 2020 the Diet promulgated the Amendment Act of the Act on the Protection of Personal Information, which will come into force by June 2022.(1) Many of the act's provisions have been delegated to subordinate regulations, including:
- the Cabinet Order to Enforce the Act on the Protection of Personal Information; and
- the Personal Information Protection Commission's (PPC's) Enforcement Rule for the Act on the Protection of Personal Information.
In December 2020 further proposed amendments to these regulations were published.(2) This article outlines the effect that these proposed amendments will have on businesses' disclosure requirements when transferring personal data to overseas third parties.(3)
Where a business must obtain a data subject's consent before transferring their data to a third party abroad, it must provide the data subject with information about the protection of personal information in the country in which the third party is located. According to Article 24(2) of the amendment act, businesses must also inform the data subject of the measures that the third party will take to protect their personal information. The proposed PPC rule amendment establishes how businesses should provide such information and the details that they should include.
According to Article 11-3(1) of the proposed PPC rule amendment, businesses may provide the relevant information to data subjects:
- in writing;
- by electronic means; or
- by any other appropriate method.
Information to be provided
Article 11-3(2) of the proposed PPC rule amendment stipulates that businesses must provide the following information to relevant data subjects:
- the country to which the personal data will be transferred;
- the system for the protection of personal information in the country to which the personal data will be transferred, obtained by appropriate and reasonable methods; and
- protective measures that will be taken by the third-party recipient of the personal data.
The qualification that such information should be obtained only "by appropriate and reasonable methods" may indicate the PPC's recognition that providing accurate, complete and up-to-date information about foreign data protection systems may impose an excessive burden on businesses.
The PPC has further stated that businesses must indicate whether:
- a system for the protection of personal information is in place in the country to which the data is transferred;
- any external data protection regulations apply – for example:
- whether the country to which the data is transferred is a member of the Cross-Border Privacy Rules system; or
- whether the data transfer is made on the basis of an adequacy decision pursuant to Article 45 of the EU General Data Protection Regulation;
- any of the eight principles of the Organisation for Economic Cooperation and Development Privacy Guidelines do not apply in the country to which the data is transferred – for example, where the country does not restrict:
- the use of data for any purpose other than that for which it was collected; or
- the third-party provision of data; and
- a system that may have a material effect on the data subject's rights and interests is in place in the country to which the data is transferred – for example, where the following exist:
- regulations regarding data localisation; or
- a system that enables government access to data.
According to the PPC, further guidelines – due to be published from June 2021 onwards – will specify additional information that businesses must provide to enable data subjects to recognise how data protection measures differ between Japan and the country to which their data is transferred. For example, in cases where the third party has disclosed no usage purpose, the transferring business will have to provide such information.
Exceptions to disclosure requirements
Where the country cannot be specified
According to Articles 11-3(3)(i) and 11-3(3)(ii) of the proposed PPC rule amendment, where a business is unable to specify the country to which the data is transferred, it must instead inform the data subject of:
- the fact that the country cannot be specified and the reason therefor; and
- any information that the data subject can use as a reference instead.
Where measures taken by third-party recipient are unknown
According to Article 11-3(4) of the proposed PPC rule amendment, where a business is unable to provide information about third-party data protection measures, it must disclose to the data subject the reason why such information is withheld.
In principle, under the Act on the Protection of Personal Information, businesses must obtain the data subject's consent before providing personal data to a third party in another country. However, according to Article 24 of the act, businesses need not obtain the data subject's consent where the foreign third party conforms to 'equivalent measures' (ie, where the foreign third party has established a system that conforms to standards concerning the protection of personal data equivalent to those with which a business must comply under the Act on the Protection of Personal Information).
Article 24(3) of the amendment act states that where a business does not obtain the data subject's consent for this reason, it must:
- take additional actions to ensure that the third party continues to implement such equivalent measures; and
- inform the data subject of such additional actions, pursuant to the proposed PPC rule amendment, on request.
Actions to ensure continuous implementation of equivalent measures
According to Article 11-4(1) of the proposed PPC rule amendment, the following are "necessary measures to ensure the continuous implementation of the Equivalent Measures":
- verifying, periodically and through appropriate and reasonable means:
- the implementation status of the equivalent measures by the third party; and
- whether any systems in the foreign country are likely to affect the equivalent measures' implementation and, if so, the details of such systems; and
- where the third party's implementation of the equivalent measures is hindered:
- taking necessary and appropriate actions; and
- suspending the provision of personal data to the third party.
The PPC has indicated that further guidelines will stipulate how frequently businesses must carry out this verification.
Information to be provided in response to data subject requests
Article 11-4(2) of the proposed PPC rule amendment prescribes that businesses should provide data subjects with information:
- in writing;
- by electronic means; or
- by any other appropriate method.
Further, Article 11-4(3) of the proposed PPC rule amendment states that a business should provide the following information on request and without delay:
- its method of establishing the third party's data protection system, as prescribed in Article 24(1) of the amendment act – for example, through:
- a contract with the transferee; or
- knowledge of internal regulations or privacy policies that commonly apply to transferors and transferees;
- an outline of the third party's equivalent measures;
- the frequency and method of its verification of the equivalent measures, pursuant to Article 11-4(1)(i) of the proposed PPC rule amendment;
- the country in which the third party is located;
- whether any systems in place in the third party's country are likely to affect the third party's implementation of the equivalent measures; and
- whether the third party's implementation of the equivalent measures is hindered in any way and, if so, an outline of any measures that it has taken pursuant to Article 11-4(1)(ii) of the proposed PPC rule amendment.
According to Article 11-4(3) of the proposed PPC rule amendment, if the provision of such information may materially hinder the business, all or part of the above matters may be withheld. However, according to Articles 11-4(4) and 11-4(5) of the proposed PPC rule amendment, businesses must notify the affected data subjects of any withheld information without delay and explain the reason why such information was withheld.
Previously, cross-border data transfers between group companies were carried out lawfully under the equivalent measures exception. However, as businesses must now comply with additional requirements (eg, the provision of more detailed information), the equivalent measures exception will likely become more onerous, particularly in cases where data is transferred only once and there is no continuing relationship between the transferor and transferee. Where personal data is transferred to a business in Japan, the additional requirements will not apply. Therefore, a business's burden will differ depending on the location of the recipient (ie, whether they are in Japan). It is expected that there will be an increase in cases in which personal data is transferred abroad via a company located in Japan that belongs to the transferee's corporate group.
Investigating systems for the protection of personal information in foreign countries and providing such information to data subjects may also be an onerous burden on businesses. If the amendment act intends to strictly enforce this provision, a better solution may be that the PPC, rather than each business, conducts the required exhaustive analysis of such foreign systems and provides businesses with the necessary information.
(1) For further information please see "Amendment Bill of the Act on the Protection of Personal Information".