In December 2016, the Cabinet of Japan announced that the amended Act on the Protection of Personal Information will be fully implemented on May 30 2017. One of the main objectives of the amended Act is to create a framework that recognises and addresses the fact that transfers of personal data occur on a global scale. Specifically, rules addressing transfers of personal data out of Japan will be established.
Under the amended Act, when personal data is to be transferred to a third party in a foreign state, in principle, a business operator handling such personal data must obtain the advance consent of the data subjects (new article 24). This does not apply in the following circumstances: (i) where the third party data recipient is located in one of the foreign states identified by regulation of the Personal Information Protection Commission (PPC) as having regulations addressing personal information protection that are considered to be equivalent to those of Japan; (ii) where the third party data recipient maintains internal personal information protection procedures and safeguards that are consistent with the standards set by the relevant regulation of the PPC, or; (iii) where one of the exceptional cases identified in article 23, paragraph 1 of the amended Act applies, that is: when providing personal data in accordance with the law, when the provision of personal data is necessary for the protection of life, body or property and obtaining consent is not practically possible, and so on).
Where a foreign corporation seeks to collect personal data from its subsidiary in Japan, or a corporation in Japan which entrusts the handling of personal data to a service vendor located in a foreign state, the new rules will require that corporation to obtain the consent of the data subjects. Exceptions to this requirement would be where the third party data recipient is located in one of the foreign states as mentioned in (i) above, or implements acceptable internal personal information protection procedures and safeguards as mentioned in (ii) above. These changes may have a large impact on certain businesses.
The relevant PPC regulations have yet to be established, and therefore the PPC's forthcoming decisions will be carefully monitored to determine, among other things, which foreign states it will identify as having regulations addressing personal information protection that are equivalent to those of Japan.