In line with the recent wave of regulations governing the use of personal data, the Personal Information Protection Act of Japan restricts the provision of personal data to third parties, with a particular focus on the delivery of such data to third parties in foreign countries.
Under Article 23(1) of the Personal Information Protection Act of Japan (PIPA) (Act No. 57 of 2003, as amended), personal data may not be provided to any third party without obtaining the prior consent of the relevant individual. For purposes of the PIPA, the term “personal data” means personal information that is included in a database, and the term “personal information” means (1) information that may identify the person by name, birth date, or another description contained in such information (including information that can be easily linked with other information that may identify the person) or (2) information containing individual identification codes (e.g., passport numbers, driver’s license numbers, or other personal numbers (most notably for Japan, an individual’s “My Number,” similar to a social security number in the United States)).
Notwithstanding the foregoing, this general protection of personal information is subject to certain important exceptions discussed below.
Provision in Unavoidable Circumstances
Personal data concerning an individual may be provided to a third party without that individual’s prior consent in any of the following situations (Article 23(1)(i)–(iv)):
Opt-Out Exception Where Necessary
Personal data may be provided to a third party if a company (1) is ready to suspend the provision of personal data upon the request of the relevant individual, and (2) has notified the person of or has furnished the person all the following information (Article 23(2)):
The requirement to describe the “manner for accepting the relevant individual’s requests to cease sharing of Personal Data” above was newly added pursuant to the amendments of the PIPA implemented on May 30, 2017 (the 2017 Amendments). Following the 2017 Amendments, the above information also needs to be submitted to the Personal Information Protection Commission (a Japanese government authority in charge of the PIPA and My Number Act, established on January 1, 2016) in advance.
In addition, the 2017 Amendments exclude certain sensitive personal information (including, for example, a person’s race, creed, social status, medical history, criminal records, the fact of having been a victim of a crime, etc.) from the scope of this “opt-out” exception.
Limited Exception for Provision to an Outsourcee
Where personal data is provided to an outsourcee handling of such personal data to the extent that is deemed necessary in the context, a specific prior consent will not be required (Article 23(5)(i)). In this case, a company that provides personal data to an outsourcee shall be responsible for necessary and appropriate supervision over such outsourcee to ensure the security control of personal data (Article 22).
Provision as a Result of Succession to a Business
Where personal data is provided to a third party as a result of the succession of business through merger or otherwise, a prior consent will also not be required (Article 23(5)(ii)).
Exception in “Joint Use” Circumstances
Personal data may be shared within specifically designated companies without prior consent if all of the following requirements have been notified or otherwise made available in advance to the individuals whose information is shared (Article 23(5)(iii)):
In practice, the “joint use” description will be included in a published personal information privacy policy maintained on a website or contained in a “click through” or similar condition to access to a firm’s services or information.
Following the 2017 Amendments, the PIPA imposes more stringent restrictions on the provision of personal data to a third party in a foreign country, except for those countries that have implemented a personal information protection system equivalent to that in Japan (Article 24). The key differences from the general rules under Article 23 described above are as follows:
The significant limitation on the availability of exceptions to cross-border provision of personal information has highlighted the importance of confirming equivalence of protection in relevant foreign jurisdictions. Thus, where personal data is provided to a third party in a foreign country implementing a personal information protection system equivalent to Japan (equivalent countries), the stringent rule under Article 24 of the PIPA will not apply and instead the general rule under Article 23 of the PIPA will apply.
Pursuant to the notice published by the Personal Information Protection Commission on January 23, 2019, the following 31 countries were designated as the equivalent countries:
Austria |
Hungary |
Poland |
Belgium |
Iceland |
Portugal |
Bulgaria |
Ireland |
Romania |
Croatia |
Italy |
Slovakia |
Cyprus |
Latvia |
Slovenija |
Denmark |
Lichtenstein |
Spain |
Estonia |
Lithuania |
Sweden |
Finland |
Luxembourg |
Czech Republic |
France |
Malta |
Netherlands |
Germany |
Norway |
United Kingdom |
Greece |
It will be noted that the above countries are all European countries subject to the General Data Protection Regulation (GDPR), and as such are considered to be “equivalent countries” because of that regulation. However, currently neither the United States nor any Asian country is viewed as having an equivalent level of protections. Accordingly, the transfer of information by Japan subsidiaries of foreign corporations to so-called “regional hub” affiliates, or to service providers with servers and other data maintenance media located outside Japan in Asia or the Americas is highly problematic. While the notice issued by the Personal Information Protection Commission indicates that the above list of qualifying countries will be reviewed and amended from time to time, the inclusion of the United States and other Asian countries appears to be far off at the time of this writing.
Provision of Personal Data to Foreign Affiliates
As noted above, prior to the 2017 Amendments, Japanese companies (including subsidiaries of Japanese firms located abroad) were able to share personal data with the foreign (or Japanese) parent firms and affiliates without a prior consent relying on the “joint use” exception set forth above. However, following the 2017 Amendments, these companies may no longer provide personal data to foreign companies without a prior consent, even if the foreign company is a parent or otherwise affiliated company.
However, where the foreign affiliate is located in any of the above equivalent countries, the stringent rule under Article 24 of the PIPA will not apply, and it will be possible to provide personal data to such foreign affiliates if the requirements under the “joint use” exception have been satisfied.
Provision of Personal Data to Foreign Headquarters or Branch Offices
Unlike in the case of a foreign subsidiary, where a Japanese company provides personal data to a branch office in a foreign country, that branch office will not be considered a third party and the prior consent will not be required. Similarly, when a Japanese branch provides personal data to a foreign headquarters or other branch offices in a foreign country, prior consent will also not be required (thereby making Japanese branch structures popular for reasons other than tax and administrative efficiency).
Provision of Personal Data to Foreign Outsourcees
Prior to the 2017 Amendments, Japanese companies could also share personal data with foreign outsourcees without obtaining prior consent relying on the exception regarding outsourcees above. Following the 2017 Amendments, however, Japanese companies may not provide personal data to foreign outsourcees without consent to such provision to a third party in a foreign country (except where the relevant outsourcee is located in any of the equivalent countries noted above). Accordingly, Japanese companies (including subsidiaries in Japan of foreign companies) must take great care to understand how data will be handled by firms to which they outsource data operations that may include personal information.
Methods for Obtaining and Documenting Consent
Methods for Obtaining Consent Under Article 23 of the PIPA
Article 23 does not require the required consent to be in writing and online consent or oral consent will be acceptable as long as the means by which it is obtained are reasonable and appropriate. The guidelines published by the Personal Information Protection Commission list the following methods as reasonable and appropriate:
Although it is not clearly set forth in the guidelines, it is generally understood that a “negative consent” (i.e., a consent deemed to be obtained by silence or not expressing any objection, etc.) is not considered as reasonable and appropriate.
Methods for Obtaining Consent Under Article 24 of the PIPA
The above guidelines are also applicable to the consent required to be obtained under Article 24. However, the consent under Article 24 needs to make it clear that the relevant individual has acknowledged and agreed that personal data will be provided to a third party in a foreign country. In connection with this, the consent should include the country or region to which personal data will be provided.
Retention of Records
Upon providing personal data to a third party, the PIPA requires the provider to prepare records of the provision in writing, by electromagnetic record, or in microfilm and to retain these records for three years (Article 25). The records must include the following information:
Private Rights of Action and Penalties for Violations of the PIPA
Civil Liabilities
Those who provide personal data to a third party in violation of the PIPA may be subject to civil actions by the relevant individuals and may be liable for damages arising from such violation. Damages in such actions are likely to be modest while the cost of maintaining a civil action can be high. Since Japan has no formal “class action” system for litigating claims for a large group of damaged parties, the number of court actions based on civil liability claims is likely to be modest.
Criminal Penalties
Those who provide personal data to a third party in violation of the PIPA may be subject to an administrative order for business improvement by the Personal Information Protection Committee (Article 42(2)). Further, those who violate such order for business improvement may be subject to imprisonment of not more than six months or a fine of not more than JPY 300,000 (approximately $273,000) (Article 84).
Subsidiaries of foreign commercial and financial groups (especially firms in regulated businesses) must be particularly careful about ensuring compliance with the PIPA as the handling of personal information may be further regulated under these separate regulatory regimes and compliance with both the PIPA and these separate regulations can often arise in regulatory inspections. Because of these concerns, many firms are now engaged in a comprehensive review of how personal data is handled and, in particular, in what circumstances it may be transferred out of Japan. Such review often leads to the conclusion that an entirely new and compliant approach to handling personal data by these firms will need to be implemented.
The following are among the most significant changes that firms currently addressing PIPA compliance are concerned with:
If you have any questions or would like more information on the issues discussed in this Insight, please contact any of the following Morgan Lewis lawyers:
Tokyo
Narumi Ito