Japan: Personal data protection

Author: | Published: 26 Jan 2017
Email a friend

Please enter a maximum of 5 recipients. Use ; to separate more than one email address.

Nagashima Ohno & Tsunematsu

Address

JP Tower, 2-7-2 Marunouchi
Chiyoda-ku, Tokyo 100-7036
Japan

Telephone

+81 3 6889 7000

Fax

+81 3 6889 8000 Visit Website
Makiko Harada

In December 2016, the Cabinet of Japan announced that the amended Act on the Protection of Personal Information will be fully implemented on May 30 2017. One of the main objectives of the amended Act is to create a framework that recognises and addresses the fact that transfers of personal data occur on a global scale. Specifically, rules addressing transfers of personal data out of Japan will be established.

Under the amended Act, when personal data is to be transferred to a third party in a foreign state, in principle, a business operator handling such personal data must obtain the advance consent of the data subjects (new article 24). This does not apply in the following circumstances: (i) where the third party data recipient is located in one of the foreign states identified by regulation of the Personal Information Protection Commission (PPC) as having regulations addressing personal information protection that are considered to be equivalent to those of Japan; (ii) where the third party data recipient maintains internal personal information protection procedures and safeguards that are consistent with the standards set by the relevant regulation of the PPC, or; (iii) where one of the exceptional cases identified in article 23, paragraph 1 of the amended Act applies, that is: when providing personal data in accordance with the law, when the provision of personal data is necessary for the protection of life, body or property and obtaining consent is not practically possible, and so on).

Where a foreign corporation seeks to collect personal data from its subsidiary in Japan, or a corporation in Japan which entrusts the handling of personal data to a service vendor located in a foreign state, the new rules will require that corporation to obtain the consent of the data subjects. Exceptions to this requirement would be where the third party data recipient is located in one of the foreign states as mentioned in (i) above, or implements acceptable internal personal information protection procedures and safeguards as mentioned in (ii) above. These changes may have a large impact on certain businesses.

The relevant PPC regulations have yet to be established, and therefore the PPC's forthcoming decisions will be carefully monitored to determine, among other things, which foreign states it will identify as having regulations addressing personal information protection that are equivalent to those of Japan.

Makiko Harada

 


 

 

close Register today to read IFLR's global coverage

Get unlimited access to IFLR.com for 7 days*, including the latest regulatory developments in the global financial sector, updated daily.

  • Deal Analysis
  • Expert Opinion
  • Best Practice

register

*all IFLR's global coverage published in the last 3 months.

Read IFLR's global coverage whenever and wherever you want for 7 days with IFLR mobile app for iPad and iPhone

"The format of the Review has changed over the years; the high quality of its substantive content has not."
Lee C Buchheit, Cleary Gottlieb

register