Japan
Answer ... A handling operator cannot transfer personal data to a third party without the prior consent of the data subject, unless it meets the requirements of any of the exceptions provided by the Act on Protection of Personal Information (APPI) (Article 27), as outlined below.
Exceptions under Article 27.1: The provision of the personal data is required by law or regulation, or is necessary to protect the life, body or property of a person, and it is difficult to obtain the data subject’s consent.
Opt-out: See question 4.
Outsourcing of data processing: If a handling operator outsources all or part of the processing of personal data to an individual or another entity, that individual or entity will not be considered a ‘third party’ within the context of Article 27 (Article 27.5(i)). For example, if the handling operator uses third-party vendors for its services, and shares personal data with those vendors for their use on its behalf and not for their own use, the transfer will be regarded as outsourcing and the restrictions on provision to a third party thus will not apply.
Where a handling operator outsources the processing of personal data, it must exercise the necessary and appropriate supervision of the outsourcing provider to ensure security control over the outsourced personal data (Article 25).
Business succession: A handling operator may provide personal data to a third party without the prior consent of the data subject if the provision of the personal data results from a business succession due to a merger or other legal reason (Article 27.5(ii)).
Joint use: A handling operator may share and jointly use personal data with specific individuals or entities if it notifies the data subject of the following information or makes this information easily accessible for the data subject (Article 27.5(iii)):
- the fact that personal data will be used jointly with specific individuals or entities;
- the personal data to be used jointly;
- the identity of the joint users;
- the purpose of the joint use; and
- the name of the individual or entity responsible for managing the personal data, its address, and in the case of a juridical person, name of its representative officer.
Once these requirements have been complied with, the identified joint users will not be deemed ‘third parties’ within the context of Article 27 and the handling operator, and the identified joint users may thus share and jointly use specific items of personal data as if they were a single entity.
In addition, the amended APPI introduced the concept of provision of personally referable information. For details, please refer to 11.1 below.
Japan
Answer ... In principle, a handling operator must obtain the prior consent of the data subject in order to transfer its personal data to a third party located in a country other than Japan. The foregoing restriction also applied in the case of outsourcing, business succession and joint use, which are exceptions to local third-party data transfer restrictions.
The data subject’s consent to an overseas data transfer is not necessary if:
- the foreign country is designated by the Personal Information Protection Commission (PPC) as a country with a data protection regime with a level of protection equivalent to that of Japan (only member countries of the European Economic Area and the United Kingdom have been designated to date); and
-
the third-party recipient has a system of data protection that meets the standards prescribed by the PPC Ordinance – that is, either:
-
- it provides assurance, through appropriate and reasonable methods, that it will treat the disclosed personal data in accordance with the spirit of the requirements for processing personal data under the APPI. Under the PPC Guidelines, ‘appropriate and reasonable methods’ include agreements between the data importer and the data exporter, or inter-group privacy rules, which ensure that the data importer will treat the disclosed personal data in accordance with the spirit of the APPI; or
- it has been certified under an international arrangement, recognised by the PPC, regarding its personal data processing system. The PPC Guidelines have identified the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules as a recognised international framework on the handling of personal information.
The amended APPI strengthened the existing regulations on data transfers to third parties outside Japan. In short, certain information, such as the personal information protection system of a data-importing country and the security measures taken by the data importer, is required to be provided to data subjects. If handling operators rely on the consent of data subjects to establish legal grounds for the cross-border transfer of personal data, such information must be provided to data subjects before obtaining their consent. If handling operators use the assurance of appropriate and reasonable methods to protect personal information, such information can be provided to data subjects upon their request. In addition, regarding cross-border transfers based on the assurance of appropriate and reasonable methods to protect personal information,, the amended APPI mandates to "regularly monitor the establishment." The guidelines clarify this frequency requirement as once a year or more.
Japan
Answer ... The guidelines in specific sectors (e.g., finance and healthcare) set out by the PPC, the Financial Services Agency and the Ministry of Health, Labour and Welfare provide for higher standards for the transfer of personal data to third parties than the APPI. A handling operator that processes personal information in such sectors must comply with those guidelines.
In addition, the Privacy Mark criteria set out by the Japan Institute for Promotion of Digital Economy and Community also provide for higher standards for the transfer of personal data to third parties than the APPI. Although the Privacy Mark criteria are not legally binding, a handling operator that uses the Privacy Mark must comply with them.